[Zope-PTK] DISCUSS: Why Zope.org has soft cookies

[Amos Latteier]

> Its the same reason you don't use telnet on unprotected or untrusted
> networks (and probably shouldne't even then).  The general problem
> is that anyone can sniff the wire, pick up the cookie, slap it in
> their own cookie file and instantly impersonate you with all your
> access rights.  This is of course why people use things like SSL and
> variously short lived session keys and the like.

I just spoke with Chris Petrilli who agrees with you. The PTK should not
set long lived cookies with authentication information.

-Amos