[TYPO3-english] Security non sense in felogin ?
Tonix (Antonio Nati)
tonix at interazioni.it
Tue Sep 28 09:46:16 CEST 2010
I'll write to security team, better not to continue here.
Regards,
Tonino
Il 27/09/2010 21:42, Jigal van Hemert ha scritto:
> Hi,
>
> If you think there is a security problem, please discuss them with the
> security team and not on a public list.
>
> I'd like you to take the following features into consideration. Maybe
> they will already answer your concerns:
>
> TYPO3 provides you with a basic FE login mechanism with a
> username/password combination. If you know or guess the combination
> you can login.
> You can easily install an authentication service which can make it as
> hard as you want to authenticate users.
>
> A user can always authenticate against any page of a TYPO3 website,
> but...
> Every FE user must be a member of at least one user group. You can
> easily set the pages or page(sub)tree to which a user group has
> access. So even if a test user account is used to authenticate that
> user can still not access parts of the site for which you haven't
> given that group access.
>
> Furthermore each FE user or user group can be locked to a domain (or
> IP address). This way the user can only login coming from that domain.
>
> You can use an authentication service (one from TER or your own) to
> authenticate users against an external database (e.g. ldap). In such a
> case the storage pid will only be used to store a dummy fe_user record
> to let the rest of TYPO3 read the fe_user record fields. This way the
> storage pid is not used at all to validate the login credentials.
>
> The basic login mechanism is not suitable to log into your bank
> account; you'll need extra secure mechanisms for that.
>
--
------------------------------------------------------------
Inter at zioni Interazioni di Antonio Nati
http://www.interazioni.it tonix at interazioni.it
------------------------------------------------------------
More information about the TYPO3-english
mailing list