[Zope-CMF] CookieCrumbler security issue?

Lennart Regebro regebro at nuxeo.com
Thu Jan 22 05:48:32 EST 2004


Chris Withers wrote:
> Lennart Regebro wrote:
>> If you want higher security, then I think something else should be used. 
> 
> What would you suggest?

SSL? I don't really see the use in trying to create a completely new 
secure authorization system. :)

> Okay, but when and how does this ticket become invalid?

Good question, I timeout would be good. Maybe storing it in a session 
variable?

> Otherwise someone could just snoop the ticket and we're back where we started...

Yup. This just protects you from sending the password (which you may use 
in many places) each request, and also prevents the client from storing 
it on disk.




More information about the Zope-CMF mailing list