Jamie Heilman wrote:

The problem of using cookies for auth creds is a little more complex
than that. The reality is, in a well written application, cookies
should never be used to store auth creds, even if you only send them
over SSL.

The patch means that auth creds are never sent, only an auth token that's valid for 20 mins or so, or you could set it to less.

The reason is that client side scripting languanges are
usually permitted access to cookie structures whereas they are
explicitly forbidden access to auth cred structures.  This is one of
the main things that makes cross-site scripting attacks dangerous.

Can you explain the XSS risk when a client user is not permitted to write HTML content to be stored by the app?

restrictions, etc. but few people will go through the trouble, and I'd
wager most people using the various cookie-based auth folder products
don't even know the risks.

This I'd agree with, but I find the argument "this car's breaks only let me stop in 1 mile, so there's no point in changing them so I can stop in 0.5 miles" a poor one...


Simplistix - Content Management, Zope & Python Consulting
           - http://www.simplistix.co.uk

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to