+-------[ bruno desthuilliers ]---------------------- | Cyrille Bonnet wrote: | > Hi there, | > | > I have been telling all my clients about how great Zope is for security: | > fine-grained permissions, security framework, roles, etc. | > | > Now, one of my clients has a security expert who took a close look at | > how Zope authenticates users. The results were not good. | > | > The main problem is that Zope stores the username and password in a | > cookie in clear text (base64 encoded). | | *Zope* don't do that. It's the (infamous) CookieCrumbler products that | is responsible for this horror.
Lots of UserFolders do this by default for compatibility reasons. CookieCrumbler is just following a long tradition. It's EXACTLY the same as what you get with Basic Auth. exUserFolder has a mode uses a random hash for cookies (I'm sure other UserFolders have this option as well). But as others have said, if you're posting to a form and not using https, what's the point. -- Andrew Milton [EMAIL PROTECTED] _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )