[Zope-CMF] CookieCrumbler security issue?
Chris Withers
chris at simplistix.co.uk
Thu Jan 22 05:25:01 EST 2004
Lennart Regebro wrote:
>
> If you want higher security, then I think something else should be used.
What would you suggest?
> That said, making it securer is not necessarily a bad idea. For example,
> instead of username + password sent, a ticket could be sent as a cookie,
> and the zope-server could keep track of which user each ticket belonged
> too. That way the username and password is send only once, when you send
> the login form.
Okay, but when and how does this ticket become invalid? Otherwise someone could
just snoop the ticket and we're back where we started...
cheers,
Chris
More information about the Zope-CMF
mailing list