[Zope] Persist password in CookieCrumbler
briansullivan at gmail.com
Fri Oct 22 12:46:06 EDT 2010
On Fri, Oct 22, 2010 at 12:34 PM, Tres Seaver <tseaver at palladion.com> wrote:
> The obvious issue with a beyond-this-session auth cookie is that it
> enables anybody who can run that browser / profile to authenticate as
> the user being persisted. I would consider this an unacceptable risk
> for any site where the authentication was intended for anything more
> than "keep spambots out" (i.e., you might as well be using OpenID).
Isn't this about the same risk as the browser saving the id/password
pair for the site? Certainly on a public or multiuser machine this
would not be a good idea and appropriate warnings should be given.
(it seems to me that all browsers do this and most users take advantage of this)
More information about the Zope