[Zope] LoginManager HOWTO?

Stuart 'Zen' Bishop zen@cs.rmit.edu.au
Wed, 26 Apr 2000 09:55:05 +1000 (EST)


On Wed, 19 Apr 2000, Lalo Martins wrote:

> The reasons I don't use GUF are, (1) it doesn't by default
> acquire users, and (2) it's (in the author's words) "trivial to
> grab people's passwords".

1) It does now  (new architecture in 1.2.0 fixed this)

2) Only if you give people rights to create GUF instances. Its about
   the same as giving people ability to create arbitrary DTML methods
   (ie. someone creates a fake login form and you would be surprised how
   many of your users would enter their username/password without
   thinking).

I don't know of any other user folders that yet do 1) with cookie 
authentication except GUF - it would be trivial to pinch the code
from GUF to do this however.

2) applies to any user that can create DTML or Python methods. Its not
a GUF or LoginManager specific problem. Ability to create arbitrary HTML
links is almost as bad - it however requires the malicious form to
be hosted on a seperate site and is more likely to be noticed by an
observant client.

-- 
 ___
   //     Zen (alias Stuart Bishop)     Work: zen@cs.rmit.edu.au
  // E N  Senior Systems Alchemist      Play: zen@shangri-la.dropbear.id.au
 //__     Computer Science, RMIT 	 WWW: http://www.cs.rmit.edu.au/~zen