Shane Hathaway wrote:

Hmm.  I really wasn't expecting any new code yet.  Session cookies are a
very significant maintenance burden in Zope, and it's not in my interest
to support them.  If you don't mind, I think I'll release a version of CC
without any session support, then I'll give Chris Withers the maintainer
hat.  He'll start with your latest version.

I'll certainly take that on, if only because Cookie Crumbler is in such wide use.

I wonder how many Plone users are aware their passwords are stored unencrypted in client cookies which fly back and forth waiting to be snapped up by packet sniffers, XSS, and JS attacks ;-)

That said, basic auth ain't much better, but at least that's protectable by SSL...

Hmmm, I wonder about sticking the token in the URL as an option, as with the SESSION stuff...


Simplistix - Content Management, Zope & Python Consulting

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to