[Zope] Persist password in CookieCrumbler

Brian Sullivan briansullivan at gmail.com
Fri Oct 22 12:46:06 EDT 2010


On Fri, Oct 22, 2010 at 12:34 PM, Tres Seaver <tseaver at palladion.com> wrote:


> The obvious issue with a beyond-this-session auth cookie is that it
> enables anybody who can run that browser / profile to authenticate as
> the user being persisted.  I would consider this an unacceptable risk
> for any site where the authentication was intended for anything more
> than "keep spambots out" (i.e., you might as well be using OpenID).
>

Isn't this about the same risk as the browser saving the id/password
pair for the site? Certainly on a public or multiuser machine this
would not be a good idea and appropriate warnings should be given.


(it seems to me that all browsers do this and most users take advantage of this)


More information about the Zope mailing list