Re: [Zope] Persist password in CookieCrumbler
On Fri, Oct 22, 2010 at 12:34 PM, Tres Seaver wrote: > The obvious issue with a beyond-this-session auth cookie is that it > enables anybody who can run that browser / profile to authenticate as > the user being persisted. I would consider this an unacceptable risk > for any site where the authentication was intended for anything more > than "keep spambots out" (i.e., you might as well be using OpenID). > Isn't this about the same risk as the browser saving the id/password pair for the site? Certainly on a public or multiuser machine this would not be a good idea and appropriate warnings should be given. (it seems to me that all browsers do this and most users take advantage of this) ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Persist password in CookieCrumbler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/21/2010 06:28 PM, Brian Sullivan wrote: > Can I persist the password using CookieCrumbler (in addition to the > user name)? Has anybody made this modification and can supply the > modified product or code. I made a stab at it but obviously my level > of understanding is not up to snuff 'cause I can't get it to work. > > What are the implications/problems that might result from doing this? The obvious issue with a beyond-this-session auth cookie is that it enables anybody who can run that browser / profile to authenticate as the user being persisted. I would consider this an unacceptable risk for any site where the authentication was intended for anything more than "keep spambots out" (i.e., you might as well be using OpenID). Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzBvS4ACgkQ+gerLs4ltQ50YwCgo8lBRu2rSifUDKllvWdXd90l efMAnRjJH8rc+4nXBG9z4Fru4MXW+oq+ =UNOh -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Persist password in CookieCrumbler
Thanks -- will have a look. On Fri, Oct 22, 2010 at 3:43 AM, Peter Bengtsson wrote: > I wrote something a long time ago which did this. Download > http://www.issuetrackerproduct.com/Download#CookieCrumblerIssueTrackerProduct > And read some of the source> I think what you have to do is override > its setAuthCookie method somehow and there you can set 'expires' to be > a date far in the future. > > On 21 October 2010 23:28, Brian Sullivan wrote: >> Can I persist the password using CookieCrumbler (in addition to the >> user name)? Has anybody made this modification and can supply the >> modified product or code. I made a stab at it but obviously my level >> of understanding is not up to snuff 'cause I can't get it to work. >> >> What are the implications/problems that might result from doing this? >> ___ >> Zope maillist - z...@zope.org >> https://mail.zope.org/mailman/listinfo/zope >> ** No cross posts or HTML encoding! ** >> (Related lists - >> https://mail.zope.org/mailman/listinfo/zope-announce >> https://mail.zope.org/mailman/listinfo/zope-dev ) >> > > > > -- > Peter Bengtsson, > work www.fry-it.com > home www.peterbe.com > hobby www.issuetrackerproduct.com > fun crosstips.org > ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Persist password in CookieCrumbler
I wrote something a long time ago which did this. Download http://www.issuetrackerproduct.com/Download#CookieCrumblerIssueTrackerProduct And read some of the source> I think what you have to do is override its setAuthCookie method somehow and there you can set 'expires' to be a date far in the future. On 21 October 2010 23:28, Brian Sullivan wrote: > Can I persist the password using CookieCrumbler (in addition to the > user name)? Has anybody made this modification and can supply the > modified product or code. I made a stab at it but obviously my level > of understanding is not up to snuff 'cause I can't get it to work. > > What are the implications/problems that might result from doing this? > ___ > Zope maillist - z...@zope.org > https://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope-dev ) > -- Peter Bengtsson, work www.fry-it.com home www.peterbe.com hobby www.issuetrackerproduct.com fun crosstips.org ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Persist password in CookieCrumbler
Can I persist the password using CookieCrumbler (in addition to the user name)? Has anybody made this modification and can supply the modified product or code. I made a stab at it but obviously my level of understanding is not up to snuff 'cause I can't get it to work. What are the implications/problems that might result from doing this? ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )