[Zope] Persist password in CookieCrumbler
tseaver at palladion.com
Fri Oct 22 12:34:55 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 10/21/2010 06:28 PM, Brian Sullivan wrote:
> Can I persist the password using CookieCrumbler (in addition to the
> user name)? Has anybody made this modification and can supply the
> modified product or code. I made a stab at it but obviously my level
> of understanding is not up to snuff 'cause I can't get it to work.
> What are the implications/problems that might result from doing this?
The obvious issue with a beyond-this-session auth cookie is that it
enables anybody who can run that browser / profile to authenticate as
the user being persisted. I would consider this an unacceptable risk
for any site where the authentication was intended for anything more
than "keep spambots out" (i.e., you might as well be using OpenID).
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Zope