-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/16/2010 02:58 PM, Marius Gedminas wrote:
On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
Marius Gedminas wrote:
So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)?
By "Zope" you mean Zope 3, ZTK, Bluebream ...?
All of the above. More specifically, zope.pluggableauth (and, I assume, zope.app.authentication before that).
I haven't looked at Zope 2, sorry.
I would venture to say that almost nobody in the Z2 world uses zope.pluggableauth: they use Products.PluggableAuthService or another Z2-specific solution. The SessionAuth plugin for PAS does put the credentials in the session, IIRC. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0KpwwACgkQ+gerLs4ltQ4ZbgCfTIRoADkXyPhBztb9+4VXhwJL CoQAn1LurSsNxxPTLG+wVXPxgsMe8ifZ =E+JK -----END PGP SIGNATURE-----