[Zope-CMF] CookieCrumbler security issue?
Lennart Regebro
regebro at nuxeo.com
Thu Jan 22 05:48:32 EST 2004
Chris Withers wrote:
> Lennart Regebro wrote:
>> If you want higher security, then I think something else should be used.
>
> What would you suggest?
SSL? I don't really see the use in trying to create a completely new
secure authorization system. :)
> Okay, but when and how does this ticket become invalid?
Good question, I timeout would be good. Maybe storing it in a session
variable?
> Otherwise someone could just snoop the ticket and we're back where we started...
Yup. This just protects you from sending the password (which you may use
in many places) each request, and also prevents the client from storing
it on disk.
More information about the Zope-CMF
mailing list