[Zope-CMF] Re: [CPS-devel] Plugin for PluggableUserFolder
Lennart Regebro
regebro at nuxeo.com
Thu Oct 7 09:10:42 EDT 2004
Jean-Marc Orliaguet wrote:
> since users get authenticated once per session:
> - is there any reason to store the password at all in a class or in a
> cookie or in RAM or in the session when authentication has succeeded and
> when this is done outside Zope (e.g. krb5, AD, ...)?
> - why not give a ticket to the user that expires after some time (maybe
> save it in a cookie) and have Zope trust the ticket?
You can do that, but it enables cookie-theft. It's safer than storing
the username and password in the cookie.
> Basically, even if the password is stored in the world's safest place,
> why store it at all if it is not going to be used again during the session?
Which is why I only store the username, but in a safe place.
More information about the Zope-CMF
mailing list