[Zope-dev] encrypted _ac_name & _ac_password
Jens Vagelpohl
jens at dataflake.org
Thu Dec 30 06:12:26 EST 2004
> The easiest way to solve that is to let the cookie be only a random
> ticked. That way the userame and password is only sent when actually
> logging in. This gives as much security as your solution, but it's
> easier to implement. PluggableUserFolder does, and I think PAS does it
> do (or at least it will do that soon).
PAS can do it currently by e.g. combining a CookieAuthHelper with a
SessionAuthHelper. The CookieAuthHelper only intercepts the initial
login page and gets the credentials (it does not set a cookie), and
only the SessionAuthHelper is called as a CredentialsUpdater - the
credentials thus end up in the session and the standard sessioning
cookie is the "random ticket".
jens
---------------
Jens Vagelpohl jens at zetwork.com
Software Engineer +49-(0)441-36 18 14 38
Zetwork GmbH http://www.zetwork.com/
More information about the Zope-Dev
mailing list