[Zope-CMF] Re: [Plone-developers] PLIP - Ship SessionCrumbler instead of CookieCrumbler

Jean-Marc Orliaguet jmo at ita.chalmers.se
Tue Oct 12 09:04:16 EDT 2004


>> It is more secure in a sense, and less secure in another sense, it just
>> moves the weakest link from one place to another..
>> If you are doing external authentication (krb, cas, AD, ...), then the
>> only viable alternative is to not store the password anywhere, this is
>> when it becomes more secure, otherwise any other option is just as
>> insecure since the main password can get compromised.
>
> With SessionCrumbler I can choose to only encrypt (SSL) the login
> procedure. With CookieCrumbler I have to encrypt every response to
> ensure that the password is not leaked. Because of performance I'd like
> to avoid that.
>
> There is still the possibility to steal your sessionid, but atleast you
> won't get your password stolen. People tend to use the same password for
> many logging in to the computer at work, for checking email, for the
> computer at home, for bank accounts, etc etc. Stealing your sessionid
> will perhaps authenticate the person to your site, but it will not allow
> him to use your bank accounts.
>

That is precisely the problem: with the session ID you can steal the
base64 encrypted user:password string that is stored by SessionCrumbler in
the session.

/JM



More information about the Zope-CMF mailing list