[Zope] How to: ZServerSSL?

[pjm3@ic.ac.uk]

Quoting Me <wphewitt@attbi.com>:

> What I am trying to do is use authentication over a secured channel to
> determine an enduser and their roles *without* asking them to login in
> again..... I know from the HTTP_REFER variable that they have already
> validated and I dont wnat to make them login in again.....

As I'm sure someone will point out, this is ludicrously insecure. The 
HTTP_REFERER variable is sent from the client, and as such can be changed, and 
you "login" can be spoofed.

I recommend looking into the various auth products (exUserFolder being my 
personal favourite) and if you *must* have some kind of cross-site login, do 
something with (secure) cookies.

> 
> If anyone has any slick suggestion on how I might do this easily, I
> would greatly appreciate it...

I'm not really sure how SSL and authentication are related unless:

1) You're doing client SSL certificate auth - which is very interesting
2) You want to protect the initial username/password data, which is fine but 
hardly novel.

What you sound like you want to do (common authentication between two sites) is 
something like passport.com, which they do using an (albeit clever) cookie 
setup and HTTP redirects. Some more details would help.

> 
> TIA
> 
> WPH

Cheers,
Phil


-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/