[Zope-CMF] Re: [CPS-devel] Plugin for PluggableUserFolder
Jean-Marc Orliaguet
jmo at ita.chalmers.se
Thu Oct 7 09:22:07 EDT 2004
Lennart Regebro wrote:
> Jean-Marc Orliaguet wrote:
>
>> since users get authenticated once per session:
>> - is there any reason to store the password at all in a class or in a
>> cookie or in RAM or in the session when authentication has succeeded
>> and when this is done outside Zope (e.g. krb5, AD, ...)?
>> - why not give a ticket to the user that expires after some time
>> (maybe save it in a cookie) and have Zope trust the ticket?
>
>
> You can do that, but it enables cookie-theft. It's safer than storing
> the username and password in the cookie.
>
>> Basically, even if the password is stored in the world's safest
>> place, why store it at all if it is not going to be used again during
>> the session?
>
>
> Which is why I only store the username, but in a safe place.
OK I get it, I thought the ProtectedAuthInfo class was used to store the
password - I am going to do the same as in
PluggableUserFolder/CASIdentification.py
Thanks /JM
More information about the Zope-CMF
mailing list