[Zope] CoreSessionTracking-based LoginMethod for LoginManager

Dario Lopez-Kästen dario@ita.chalmers.se
Thu, 16 Aug 2001 22:03:57 +0200


> If I didn't miss something, the only way of hacking left would be a
> man-in-the-middle attack. But that one could be done much more efficien=
tly
> by catching your password at logon. To get rid of that problem, use SSL
and
> check the server certificates. I don't see a better solution. It would =
be
> nice if one could use SSL for the login only, but how would you prevent
the
> man-in-the-middle thing?

If you cannot rely on IP-adress checking, there is no good way IMHO. A "less
worse" way could be to send a new random token to store as a cookie (even
possibly with a new cookie-id) with each and every request.

That way at least you can do damage control. As soon as the cookie id and or
value is unexpected, throw warnings, and kill the users session.

/dario

- --------------------------------------------------------------------
Dario Lopez-Kästen     Systems Developer  Chalmers Univ. of Technology
dario@ita.chalmers.se  ICQ will yield no hits    IT Systems & Services