[Zope-dev] Re: [patch] More secure cookie crumbler?

Shane Hathaway shane at zope.com
Mon Apr 12 08:39:51 EDT 2004


On Mon, 12 Apr 2004, Chris Withers wrote:

> I think the attached patch (against CookieCrumbler 1.1) makes
> CookieCrumbler a little more secure.

Your patch won't work with multiple ZEO app servers.  It appears to store
the tokens in a module global.  Do not apply it.

> PS: To make cookie auth properly secure, you really need to be working
> over SSL only

I agree--SSL is required.  Let's not give people a false 
sense of security by changing CookieCrumbler.

Shane



More information about the Zope-Dev mailing list