Cyrille Bonnet wrote: > Hi there, > > I have been telling all my clients about how great Zope is for security: > fine-grained permissions, security framework, roles, etc. > > Now, one of my clients has a security expert who took a close look at > how Zope authenticates users. The results were not good. > > The main problem is that Zope stores the username and password in a > cookie in clear text (base64 encoded).
*Zope* don't do that. It's the (infamous) CookieCrumbler products that is responsible for this horror. > Even though it only happens in their internal network, my client wasn't > too happy, because it makes them vulnerable to a man-in-the-middle attack. > > I know, the odds of that happening are low, but storing the username and > password in clear text is clearly not best practice. That's an understatement. > So, my question is: is there a way to secure Zope authentication? yes : use https. -- bruno desthuilliers développeur [EMAIL PROTECTED] http://www.modulix.com _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )