[Zope-CMF] CMFDefault register method & security

Chris Withers chrisw@nipltd.com
Wed, 18 Jul 2001 22:30:14 +0100


Andrew Sawyers wrote:
> 
> Well, I guess that's fine since username and password is being passed over
> the wire in the clear anyhow.  I don't see much difference whether it's in
> the url or in a hidden form.  In either case an able person is going to get
> them if they want them; I guess the log issue is just makes another area
> where someone could exploit, thus I guess putting it into a post is the
> better of two evils.  What about encoding them into a cookie, decoding them
> on the server side?  Still crackable, but would take slightly more effort
> and exclude script kiddies??

I can't think of a good solution here.

What I would say is that if there is no good solution, the 'log me in' feature
should really be removed. It's not too much to ask people to type their username
and password in after they've just joined...

cheers,

Chris