> Yes, I do realise that it's hard. Regarding the cookie comment that
> was the reason I wanted to use Apache <location> based login.

>>Huh? I'm sure some people would love to know how those two things relate
in your head...
 
>>>I wanted to use an Apache served login box before the Zope/Plone site is served but I've decided against that now as authentication should be closely linked to the application. Also Apache <location> based authentication isn't cookie based. Now going with Zope/Plone auth over SSL alone with cookies set to expire.

> I do
> realise that leaving a logon cookie is insecure and that comment was
> perhaps misguided. I started to think about usability etc.

>>If you're lucky, you might get a system that's both insecure _and_
unusable ;-)
 
>>>My aim is security with a good level of usability and I'll achieve that :-)

> I'm going to block 8080 at the router/firewall level as Zope obviously
> needs to keep serving through 8080 to Apache.
>>using iptables in the box is probably a better idea...
 
>>>thanks for the advice but I'll probably go with router level

> As for the issue with IE6 and editing pages over SSL it all works fine
> in Firefox 1.5, so it's a browser issue which I just can't quite
> fathom just now.

>>I doubt it, my guess would still be that you're doing something wrong
somewhere...
 
>>>Sorry but I don't agree on this one. I haven't altered any of the Plone 'edit page' functionality. It's out of the box. Works fine without SSL but on SSL trying to edit a page causes 'can't find server'. Firefox though works perfectly viewing and editing so it's a browser issue. I know of other people who have issues with IE and posting images over SSL. Must be something to do with POST security over IE. I'm going to take it up with them but don't expect too much of a response. I'm now about to try with Opera.

 
On 2/14/06, Igor Stroh <[EMAIL PROTECTED]> wrote:
michael nt milne wrote:
> Yes, I do realise that it's hard. Regarding the cookie comment that
> was the reason I wanted to use Apache <location> based login. I do
> realise that leaving a logon cookie is insecure and that comment was
> perhaps misguided. I started to think about usability etc.
>
> I'm going to block 8080 at the router/firewall level as Zope obviously
> needs to keep serving through 8080 to Apache.

No need to do that, just configure your zope (etc/zope.conf) to
listen only on your loopback interface:

<http-server>
address 127.0.0.1:8080
</http-server>

An btw, Zope doesn't *need* to serve on 8080...

HTH,
Igor
_______________________________________________
Zope maillist  -   Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )



--
Michael
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to