-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/16/2010 02:58 PM, Marius Gedminas wrote: > On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote: >> Marius Gedminas wrote: >>> So, did you know that by default Zope stores a copy of every user's >>> username and password in your ZODB, in plain text, on every login that >>> uses forms and sessions (rather than HTTP basic auth)? >> >> By "Zope" you mean Zope 3, ZTK, Bluebream ...? > > All of the above. More specifically, zope.pluggableauth (and, I assume, > zope.app.authentication before that). > > I haven't looked at Zope 2, sorry.
I would venture to say that almost nobody in the Z2 world uses zope.pluggableauth: they use Products.PluggableAuthService or another Z2-specific solution. The SessionAuth plugin for PAS does put the credentials in the session, IIRC. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0KpwwACgkQ+gerLs4ltQ4ZbgCfTIRoADkXyPhBztb9+4VXhwJL CoQAn1LurSsNxxPTLG+wVXPxgsMe8ifZ =E+JK -----END PGP SIGNATURE----- _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )