[Zope] logging in a user

Markus Schaber markus.schaber@student.uni-ulm.de
Tue, 08 Jan 2002 15:04:15 +0100


Ove Ruben R Olsen wrote:
> 
> At 12:42 08.01.2002 +0000, Tim Hicks wrote:
> 
> >One way around it would be to use some sort of cookie/session based login,
> >but I've not played with that so I can't really help.
> 
> Either that or you may use HTTP authetication directly in the URL. This is
> "nasty" but
> works.
>
> The original posting from Steven Turoff talked about changeing a Zope-users
> password
> and then login with the new password. After a successfull change of
> password one
> may use a redirect with the username and password in the URL as specified
> by the
> standard:
> 
> http://USERNAME:PASSWORD@www.mysite.is.cool/path/to/object/after/redirect
> 
> Note that there is a COLON - ":" - between the username and the password and a
> COMERCIAL AT - "@" - between the username and the FQHN.

This should work, but it can open a security hole in certain
environments, as URLs often are logged in proxies and browser histories.
And as some proxies generate url-based statistics, it might even make
your username/password combination publicly visible.

markus

-- 
Markus Schaber - http://www.schabi.de/

Check in to another world - test a _real_ OS.