[Zope-dev] Re: [patch] More secure cookie crumbler?
Shane Hathaway
shane at zope.com
Mon Apr 12 08:39:51 EDT 2004
On Mon, 12 Apr 2004, Chris Withers wrote:
> I think the attached patch (against CookieCrumbler 1.1) makes
> CookieCrumbler a little more secure.
Your patch won't work with multiple ZEO app servers. It appears to store
the tokens in a module global. Do not apply it.
> PS: To make cookie auth properly secure, you really need to be working
> over SSL only
I agree--SSL is required. Let's not give people a false
sense of security by changing CookieCrumbler.
Shane
More information about the Zope-Dev
mailing list