Shane Hathaway wrote:
Hmm. I really wasn't expecting any new code yet. Session cookies are a very significant maintenance burden in Zope, and it's not in my interest to support them. If you don't mind, I think I'll release a version of CC without any session support, then I'll give Chris Withers the maintainer hat. He'll start with your latest version.
I'll certainly take that on, if only because Cookie Crumbler is in such wide use.
I wonder how many Plone users are aware their passwords are stored unencrypted in client cookies which fly back and forth waiting to be snapped up by packet sniffers, XSS, and JS attacks ;-)
That said, basic auth ain't much better, but at least that's protectable by SSL...
Cookies and Basic Auth both are transmitted via HTTP headers, so both should benefit from SSL
Another question of course is what happens afterwards; in my experience at least IE has a tendency to even store Session cookies longer than one might expect (ie. the lifetime of the browser instance)
I made a patch to CC to crypt auth tokens with AES, though thats not ideal it should help a little
Hmmm, I wonder about sticking the token in the URL as an option, as with the SESSION stuff...
Description: S/MIME Cryptographic Signature
_______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )