[TYPO3-english] Security non sense in felogin ?

[Jigal van Hemert]

Hi,

If you think there is a security problem, please discuss them with the 
security team and not on a public list.

I'd like you to take the following features into consideration. Maybe 
they will already answer your concerns:

TYPO3 provides you with a basic FE login mechanism with a 
username/password combination. If you know or guess the combination you 
can login.
You can easily install an authentication service which can make it as 
hard as you want to authenticate users.

A user can always authenticate against any page of a TYPO3 website, but...
Every FE user must be a member of at least one user group. You can 
easily set the pages or page(sub)tree to which a user group has access. 
So even if a test user account is used to authenticate that user can 
still not access parts of the site for which you haven't given that 
group access.

Furthermore each FE user or user group can be locked to a domain (or IP 
address). This way the user can only login coming from that domain.

You can use an authentication service (one from TER or your own) to 
authenticate users against an external database (e.g. ldap). In such a 
case the storage pid will only be used to store a dummy fe_user record 
to let the rest of TYPO3 read the fe_user record fields. This way the 
storage pid is not used at all to validate the login credentials.

The basic login mechanism is not suitable to log into your bank account; 
you'll need extra secure mechanisms for that.

-- 
Kind regards / met vriendelijke groet,

Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh