[Zope-CMF] Re: [CPS-devel] Plugin for PluggableUserFolder (was: more secure cookie crumber)

Lennart Regebro regebro at nuxeo.com
Thu Oct 7 07:05:39 EDT 2004


Hi!

Jean-Marc Orliaguet wrote:
> Has anyone managed to write a cookiecrumbler / sessioncrumbler / 
> whatevercrumbler that does not store the password anywhere?

Yes, the CASIdentification.py plugin (available in v 2.5.0) uses the 
ProtectedAuthInfo class. This is just a simple class where the contents 
is not available from python scripts or templates.

So CAS stores the username in that object and put's it in the session. 
If it's there, and it is the correct type (so you can't replace it with 
a fake object), the plugin returns that username as a valid user.

Seems pretty safe.


More information about the Zope-CMF mailing list