[Zope] Persist password in CookieCrumbler
Tres Seaver
tseaver at palladion.com
Fri Oct 22 12:34:55 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/21/2010 06:28 PM, Brian Sullivan wrote:
> Can I persist the password using CookieCrumbler (in addition to the
> user name)? Has anybody made this modification and can supply the
> modified product or code. I made a stab at it but obviously my level
> of understanding is not up to snuff 'cause I can't get it to work.
>
> What are the implications/problems that might result from doing this?
The obvious issue with a beyond-this-session auth cookie is that it
enables anybody who can run that browser / profile to authenticate as
the user being persisted. I would consider this an unacceptable risk
for any site where the authentication was intended for anything more
than "keep spambots out" (i.e., you might as well be using OpenID).
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkzBvS4ACgkQ+gerLs4ltQ50YwCgo8lBRu2rSifUDKllvWdXd90l
efMAnRjJH8rc+4nXBG9z4Fru4MXW+oq+
=UNOh
-----END PGP SIGNATURE-----
More information about the Zope
mailing list