On 12/17/10 00:55 , Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/16/2010 02:58 PM, Marius Gedminas wrote:
>> On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
>>> Marius Gedminas wrote:
>>>> So, did you know that by default Zope stores a copy of every user's
>>>> username and password in your ZODB, in plain text, on every login that
>>>> uses forms and sessions (rather than HTTP basic auth)?
>>>
>>> By "Zope" you mean Zope 3, ZTK, Bluebream ...?
>>
>> All of the above.  More specifically, zope.pluggableauth (and, I assume,
>> zope.app.authentication before that).
>>
>> I haven't looked at Zope 2, sorry.
>
> I would venture to say that almost nobody in the Z2 world uses
> zope.pluggableauth:  they use Products.PluggableAuthService or another
> Z2-specific solution.
>
> The SessionAuth plugin for PAS does put the credentials in the session,
> IIRC.

For Plone we use plone.session to manage authentication sessions. 
plone.session does not require any ZODB writes or storing of passwords, 
plaintext or otherwise. It is probably portable to zope.pluggableauth.

Wichert.
_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to