[Zope-PTK] DISCUSS: Why Zope.org has soft cookies

[Karl Fast]

> I disagree.  The "password in cleartext on the wire" is the same for
> HTTP Basic Authenication as it is for cookies.  If people want to
> discard their login information, all they have to do is click "Logout".
> 
> The vast, vast majority of sites with identities, IMO, use long-lived
> cookies, but ask people if it is OK.  People building sites with our
> software should be able to build sites as "usable" as competitive sites,
> and have an option to clamp down as they wish.

I just signed up and am catching this thread in the middle, so
perhaps this has already been covered.

Sites like Amazon use a two-tiered approach. Whenever I return it
remembers who I am. No need to enter a password. And it returns
preferences and recommendations based on that identity. But if I
want to place an order, view my order history, or do other things
like that I need to sign on. The login form automatically inserts my
username (my email address in the case of Amazon) and I need to
supply my password. More personal information requires
authentication on a per session basis.

Yahoo! uses a similar two-tier approach. A Yahoo ID is valid for all
Yahoo services. The ID is long lived for my.yahoo.com. I never need
to enter my id/password unless I deliberately logged out. But the
Yahoo clubs is short lived, about 48 hours I think. Every 48 hours,
even if I never close Netscape during that time, I need to login
again. Both of these use the same username/password.

karl



-----------------------------------------------------------------
Karl Fast