On Mon, 12 Apr 2004, Chris Withers wrote:

> I think the attached patch (against CookieCrumbler 1.1) makes
> CookieCrumbler a little more secure.

Your patch won't work with multiple ZEO app servers.  It appears to store
the tokens in a module global.  Do not apply it.

> PS: To make cookie auth properly secure, you really need to be working
> over SSL only

I agree--SSL is required.  Let's not give people a false 
sense of security by changing CookieCrumbler.


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to