[Zope-PTK] DISCUSS: Why Zope.org has soft cookies

[Amos Latteier]

> Amos, why do the cookies at Zope.org not contain all the login
> information, set to expire long into the future?  This is the way most
> sites work.  If you choose to set a cookie, you'll never need 
> to log in
> again.

I think that the main concern is that anyone who used your browser would
then have access to your Zope.org account. Realistically this is not a
big deal for most classes of users.

I'm not sure if there are any other security issues involved in this
cookie arrangement.
 
> I imagine that we should provide some knobs to let portal 
> owners choose
> different policies, but I think the default should be like 
> other sites.

This sounds reasonable. I'm not sure if other sites in general work the
way you assert, but none the less it sounds like a friendlier solution
for the user.

However, I can imagine a case where the user's cookie gets lost for one
reason or another (for example, they change browsers) and if they are
not used to logging in, they will most likely not remember their
password. At this point they'll need to mail themselves their password.
Not a big deal I guess.

-Amos