[Zope-CMF] Re: [Plone-developers] PLIP - Ship SessionCrumbler
instead of CookieCrumbler
Lennart Regebro
regebro at nuxeo.com
Tue Oct 12 11:47:18 EDT 2004
Tres Seaver wrote:
> Personally, I don't see a lot of benefit in expending development effort
> trying to polish a fundamentally insecure approach. Basic auth over SSL
> is actually more secure than either of the two "crumblers"; digest auth
> would be even better, and client certificates better than that.
And in any case, continually hacking the ugly hack that is
CookieCrumbler is not a good idea. I would recommend you plone people to
put in some effort to move over to PAS instead of moving from one hack
to another. ;)
More information about the Zope-CMF
mailing list