[Zope-CMF] CookieCrumbler security issue?
Chris Withers
chris at simplistix.co.uk
Wed Jan 21 06:33:51 EST 2004
Hi All,
These seem to be the best places to discuss this as CookieCrumbler is probably
most heavily used in CMF and hence Plone.
I have mailed Shane about this but I'm interested in what suggestions other
people have too :-)
Some guys here in the UK were looking to use Cookie Crumbler for one
of their projects. One of their sysadmins rightly pointed out:
> I have just tried to enter the management screen for
> [department x] and get a strange login screen. How do
> I differentiate this (non-descript) form from a password
> collector collecting our passwords?
Well, https for the login screen would be what I would suggest for that, how
about you guys?
> Secondly this product (Cookie Crumbler) then sets a cookie
> containing the BASE64 encoding of the username and password
> which is sent to all web pages (path="/") in both secure
> and insecure fetches.
...and I think he's got a fair point, the password is unencrypted and
potentially lying around on any machine where someone's logged in using Cookie
Crumbler. I'm pretty sure the path it is sent to is customisable, but you've
still got the username and password flying around essentially in clear text.
I know this is what happens with basic auth when it's not over https too, but
I'm intersted in making Cookie Crumbler authentication more secure...
My initial idea was to crypt the details sent to the user, but this really
doesn't help too much other than obscuring the actual username and password. The
crypted cookie could still be used just as effectively to gain unauthorised access.
What solutions would you guys propose?
cheers,
Chris
More information about the Zope-CMF
mailing list