On Wed, 19 Apr 2000, Lalo Martins wrote:
The reasons I don't use GUF are, (1) it doesn't by default acquire users, and (2) it's (in the author's words) "trivial to grab people's passwords".
1) It does now (new architecture in 1.2.0 fixed this) 2) Only if you give people rights to create GUF instances. Its about the same as giving people ability to create arbitrary DTML methods (ie. someone creates a fake login form and you would be surprised how many of your users would enter their username/password without thinking). I don't know of any other user folders that yet do 1) with cookie authentication except GUF - it would be trivial to pinch the code from GUF to do this however. 2) applies to any user that can create DTML or Python methods. Its not a GUF or LoginManager specific problem. Ability to create arbitrary HTML links is almost as bad - it however requires the malicious form to be hosted on a seperate site and is more likely to be noticed by an observant client. -- ___ // Zen (alias Stuart Bishop) Work: zen@cs.rmit.edu.au // E N Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au //__ Computer Science, RMIT WWW: http://www.cs.rmit.edu.au/~zen