[Zope-CMF] Re: [Plone-developers] PLIP - Ship SessionCrumbler
instead of CookieCrumbler
Jean-Marc Orliaguet
jmo at ita.chalmers.se
Tue Oct 12 10:15:38 EDT 2004
> On Tue, 2004-10-12 at 15:04 +0200, Jean-Marc Orliaguet wrote:
>> >
>> > There is still the possibility to steal your sessionid, but atleast
>> you
>> > won't get your password stolen. People tend to use the same password
>> for
>> > many logging in to the computer at work, for checking email, for the
>> > computer at home, for bank accounts, etc etc. Stealing your sessionid
>> > will perhaps authenticate the person to your site, but it will not
>> allow
>> > him to use your bank accounts.
>> >
>>
>> That is precisely the problem: with the session ID you can steal the
>> base64 encrypted user:password string that is stored by SessionCrumbler
>> in
>> the session.
>>
>
> How is this supposed to work? I suppose this still requires some kind of
> server script actually reading the session from the server memory,
> doesnt it? The only thing that is transmitted (either per cookie or url)
> is the browser Id .. which means the thing that connects sessions to
> browsers and not the session data itself. Correct me if i am wrong.
>
All you need to do is to set a _ZopeID cookie that you have stolen, login
(you are already logged in), and use the 'mail password' script to send
the password.
/JM
More information about the Zope-CMF
mailing list