[Zope-dev] Re: [patch] More secure cookie crumbler?
Chris Withers
chris at simplistix.co.uk
Tue Apr 20 09:50:15 EDT 2004
Shane Hathaway wrote:
> Hmm. I really wasn't expecting any new code yet. Session cookies are a
> very significant maintenance burden in Zope, and it's not in my interest
> to support them. If you don't mind, I think I'll release a version of CC
> without any session support, then I'll give Chris Withers the maintainer
> hat. He'll start with your latest version.
I'll certainly take that on, if only because Cookie Crumbler is in such wide use.
I wonder how many Plone users are aware their passwords are stored unencrypted
in client cookies which fly back and forth waiting to be snapped up by packet
sniffers, XSS, and JS attacks ;-)
That said, basic auth ain't much better, but at least that's protectable by SSL...
Hmmm, I wonder about sticking the token in the URL as an option, as with the
SESSION stuff...
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope-Dev
mailing list