12 Apr
2004
12 Apr
'04
12:39 p.m.
On Mon, 12 Apr 2004, Chris Withers wrote:
I think the attached patch (against CookieCrumbler 1.1) makes CookieCrumbler a little more secure.
Your patch won't work with multiple ZEO app servers. It appears to store the tokens in a module global. Do not apply it.
PS: To make cookie auth properly secure, you really need to be working over SSL only
I agree--SSL is required. Let's not give people a false sense of security by changing CookieCrumbler. Shane