Chris Withers wrote:
Shane Hathaway wrote:

Hmm.  I really wasn't expecting any new code yet.  Session cookies are a
very significant maintenance burden in Zope, and it's not in my interest
to support them.  If you don't mind, I think I'll release a version of CC
without any session support, then I'll give Chris Withers the maintainer
hat.  He'll start with your latest version.



I'll certainly take that on, if only because Cookie Crumbler is in such wide use.

I wonder how many Plone users are aware their passwords are stored unencrypted in client cookies which fly back and forth waiting to be snapped up by packet sniffers, XSS, and JS attacks ;-)

That said, basic auth ain't much better, but at least that's protectable by SSL...

Cookies and Basic Auth both are transmitted via HTTP headers, so both should benefit from SSL

Another question of course is what happens afterwards; in my experience at least IE has a tendency to even store Session cookies longer than one might expect (ie. the lifetime of the browser instance)

I made a patch to CC to crypt auth tokens with AES, though thats not ideal it should help a little

Hmmm, I wonder about sticking the token in the URL as an option, as with the SESSION stuff...

Chris

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to