Am 16.12.2010 um 20:58 schrieb Marius Gedminas:

> On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
>> Marius Gedminas wrote:
>>> So, did you know that by default Zope stores a copy of every user's
>>> username and password in your ZODB, in plain text, on every login that
>>> uses forms and sessions (rather than HTTP basic auth)?
>> By "Zope" you mean Zope 3, ZTK, Bluebream ...?
> All of the above.  More specifically, zope.pluggableauth (and, I assume,
> before that).

I never understood why you would want to store the credentials in the session 
at all (AFAIK not necessarily in your app's ZODB in case you use a RAM based 
session storage). Besides storing passwords in your session Zope 3's and 
probably also Bluebream's PAU authenticate the user on each request. That might 
not be a problem if you use a local principal folder, but if you authenticate 
against an external authentication source, e.g. LDAP, you probably don't want 
to contact it on each request.

For our apps we modified the PAU (plugins) to store the authenticated principal 
in the session instead of the credentials. The only possible disadvantage I can 
think of is that you can't lock out a user until its session is invalidated.

Markus Kemmerling

Zope-Dev maillist  -
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to