[Zope] UserDB Vs. GUF
Stuart 'Zen' Bishop
zen@cs.rmit.edu.au
Sat, 13 May 2000 00:04:36 +1000 (EST)
On Thu, 11 May 2000, Paul Abrams wrote:
> We are currently using UserDB for authentication. It is
> simple and meets our needs.
>
> Are there any compelling reasons to switch to the
> much-newer GUF? Are there any security holes in UserDB that
> GUF may have fixed? What are other people using?
The only security issue I can think of is that the username/password
is passed in 'effectivly plaintext' to every page on your site via
a cookie. If you have untrusted users with access to create DTML or
other executable code, it is trivial for them to extract the password.
If you don't, there is really no reason to change until a future Zope
release finally breaks it.
--
___
// Zen (alias Stuart Bishop) Work: zen@cs.rmit.edu.au
// E N Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au
//__ Computer Science, RMIT WWW: http://www.cs.rmit.edu.au/~zen