On Monday 15 September 2003 09:23 am, Chris Withers wrote:
nicogrubert@arcor.de wrote:
my question is: how can I read the password the user entered in the login_form ?
I tried to decode the string stored in the cookie "__ac" using base64.decodestring(<string>) and got "<username>:x034x213324" where <username> is the
So, the password is being hashed on the client side? How is that happening, exactly? Javascript, Java plugin, or ?? or *is* "x034x213324" the clear text password? HTML forms don't, to my knowledge, send encrypted data. If Zope (that is, CookieCrumbler) is taking the cleartext password, encrypting it, and then storing it in a cookie, then this is probably the "long way round." I realized after tinkering with this myself that encrypting passwords for storage was probably a dumb idea if you're not using SSL to begin with (i.e. if they're not getting encrypted on the client side). Because it's sort of silly to store them in such a way that even *you* can't read them after you've just done the metaphorical equivalent of shouting the secret across a crowded room! (i.e. sending them plain text across the net in the user's web request). (Because, which is more likely -- that an attacker will gain shell access to your server and start going through your user database, or that they will simply sniff for passwords coming into your web server?). Maybe that's immediately obvious to other people, but I keep mentioning it, because it wasn't to me. ;-)
username in cleartext the user typed in the __ac_name text field of login_form. How can I read the password in cleartext? background of this issue is that I need to pass the password in cleartext to another application.
In that case, probably easier to customise the user folder and have it send the info when it's getUser method is called.
Yeah, this would be my call, too. SimpleUserFolder, BTW, is very easy to subclass to get whatever custom behavior you need. I've been pretty happy with it so far, so I'd recommend going with that. Cheers, Terry -- Terry Hancock ( hancock at anansispaceworks.com ) Anansi Spaceworks http://www.anansispaceworks.com