Persist password in CookieCrumbler
Can I persist the password using CookieCrumbler (in addition to the user name)? Has anybody made this modification and can supply the modified product or code. I made a stab at it but obviously my level of understanding is not up to snuff 'cause I can't get it to work. What are the implications/problems that might result from doing this?
I wrote something a long time ago which did this. Download http://www.issuetrackerproduct.com/Download#CookieCrumblerIssueTrackerProduc... And read some of the source> I think what you have to do is override its setAuthCookie method somehow and there you can set 'expires' to be a date far in the future. On 21 October 2010 23:28, Brian Sullivan <briansullivan@gmail.com> wrote:
Can I persist the password using CookieCrumbler (in addition to the user name)? Has anybody made this modification and can supply the modified product or code. I made a stab at it but obviously my level of understanding is not up to snuff 'cause I can't get it to work.
What are the implications/problems that might result from doing this? _______________________________________________ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
-- Peter Bengtsson, work www.fry-it.com home www.peterbe.com hobby www.issuetrackerproduct.com fun crosstips.org
Thanks -- will have a look. On Fri, Oct 22, 2010 at 3:43 AM, Peter Bengtsson <peter@fry-it.com> wrote:
I wrote something a long time ago which did this. Download http://www.issuetrackerproduct.com/Download#CookieCrumblerIssueTrackerProduc... And read some of the source> I think what you have to do is override its setAuthCookie method somehow and there you can set 'expires' to be a date far in the future.
On 21 October 2010 23:28, Brian Sullivan <briansullivan@gmail.com> wrote:
Can I persist the password using CookieCrumbler (in addition to the user name)? Has anybody made this modification and can supply the modified product or code. I made a stab at it but obviously my level of understanding is not up to snuff 'cause I can't get it to work.
What are the implications/problems that might result from doing this? _______________________________________________ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
-- Peter Bengtsson, work www.fry-it.com home www.peterbe.com hobby www.issuetrackerproduct.com fun crosstips.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/21/2010 06:28 PM, Brian Sullivan wrote:
Can I persist the password using CookieCrumbler (in addition to the user name)? Has anybody made this modification and can supply the modified product or code. I made a stab at it but obviously my level of understanding is not up to snuff 'cause I can't get it to work.
What are the implications/problems that might result from doing this?
The obvious issue with a beyond-this-session auth cookie is that it enables anybody who can run that browser / profile to authenticate as the user being persisted. I would consider this an unacceptable risk for any site where the authentication was intended for anything more than "keep spambots out" (i.e., you might as well be using OpenID). Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzBvS4ACgkQ+gerLs4ltQ50YwCgo8lBRu2rSifUDKllvWdXd90l efMAnRjJH8rc+4nXBG9z4Fru4MXW+oq+ =UNOh -----END PGP SIGNATURE-----
On Fri, Oct 22, 2010 at 12:34 PM, Tres Seaver <tseaver@palladion.com> wrote:
The obvious issue with a beyond-this-session auth cookie is that it enables anybody who can run that browser / profile to authenticate as the user being persisted. I would consider this an unacceptable risk for any site where the authentication was intended for anything more than "keep spambots out" (i.e., you might as well be using OpenID).
Isn't this about the same risk as the browser saving the id/password pair for the site? Certainly on a public or multiuser machine this would not be a good idea and appropriate warnings should be given. (it seems to me that all browsers do this and most users take advantage of this)
participants (3)
-
Brian Sullivan -
Peter Bengtsson -
Tres Seaver