Am 16.12.2010 um 20:58 schrieb Marius Gedminas:
> On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
>> Marius Gedminas wrote:
>>> So, did you know that by default Zope stores a copy of every user's
>>> username and password in your ZODB, in plain text, on every login that
>>> uses forms and sessions (rather than HTTP basic auth)?
>> By "Zope" you mean Zope 3, ZTK, Bluebream ...?
> All of the above. More specifically, zope.pluggableauth (and, I assume,
> zope.app.authentication before that).
I never understood why you would want to store the credentials in the session
at all (AFAIK not necessarily in your app's ZODB in case you use a RAM based
session storage). Besides storing passwords in your session Zope 3's and
probably also Bluebream's PAU authenticate the user on each request. That might
not be a problem if you use a local principal folder, but if you authenticate
against an external authentication source, e.g. LDAP, you probably don't want
to contact it on each request.
For our apps we modified the PAU (plugins) to store the authenticated principal
in the session instead of the credentials. The only possible disadvantage I can
think of is that you can't lock out a user until its session is invalidated.
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -