[Zope-dev] Re: [patch] More secure cookie crumbler?

Chris Withers chris at simplistix.co.uk
Tue Apr 20 09:50:15 EDT 2004


Shane Hathaway wrote:

> Hmm.  I really wasn't expecting any new code yet.  Session cookies are a
> very significant maintenance burden in Zope, and it's not in my interest
> to support them.  If you don't mind, I think I'll release a version of CC
> without any session support, then I'll give Chris Withers the maintainer
> hat.  He'll start with your latest version.

I'll certainly take that on, if only because Cookie Crumbler is in such wide use.

I wonder how many Plone users are aware their passwords are stored unencrypted 
in client cookies which fly back and forth waiting to be snapped up by packet 
sniffers, XSS, and JS attacks ;-)

That said, basic auth ain't much better, but at least that's protectable by SSL...

Hmmm, I wonder about sticking the token in the URL as an option, as with the 
SESSION stuff...

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk




More information about the Zope-Dev mailing list