[Zope-CMF] Re: [Plone-developers] PLIP - Ship SessionCrumbler
instead of CookieCrumbler
Tres Seaver
tseaver at zope.com
Tue Oct 12 11:28:48 EDT 2004
Simon Eisenmann wrote:
> On Tue, 2004-10-12 at 16:15 +0200, Jean-Marc Orliaguet wrote:
>
>
>>All you need to do is to set a _ZopeID cookie that you have stolen, login
>>(you are already logged in), and use the 'mail password' script to send
>>the password.
>
>
> Ok right thats a problem. But i think i can wrap the password in the
> session inside a special object which itself does some additional
> verification that this request really may access this session. Such
> additional checks could check the source IP address of the client for
> instance. Doing stuff like this would mean that the user needs to fake a
> HTTP request which is a bit more complex than just using the mail
> password script. How do you feel about this?
No truly secure system keeps the user's plaintext password *anywhere*
(the "mail me my password" bit can only be a "reset my password and mail
me the reset value" in such a system). The hack which CookieCrumbler
uses (and I presume SessionCrumbler, from the discussion), makes a
request *look* to Zope like basic auth, and therefore has to keep the
plaintext password around somewhere.
Personally, I don't see a lot of benefit in expending development effort
trying to polish a fundamentally insecure approach. Basic auth over SSL
is actually more secure than either of the two "crumblers"; digest auth
would be even better, and client certificates better than that.
Tres.
--
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope-CMF
mailing list