[Zope-PTK] DISCUSS: Why Zope.org has soft cookies

[Paul Everitt]

Amos Latteier wrote:
> I just spoke with Chris Petrilli who agrees with you. The PTK should not
> set long lived cookies with authentication information.

I disagree.  The "password in cleartext on the wire" is the same for
HTTP Basic Authenication as it is for cookies.  If people want to
discard their login information, all they have to do is click "Logout".

The vast, vast majority of sites with identities, IMO, use long-lived
cookies, but ask people if it is OK.  People building sites with our
software should be able to build sites as "usable" as competitive sites,
and have an option to clamp down as they wish.

--Paul