+-------[ bruno desthuilliers ]----------------------
| Cyrille Bonnet wrote:
| > Hi there,
| > I have been telling all my clients about how great Zope is for security:
| > fine-grained permissions, security framework, roles, etc.
| > Now, one of my clients has a security expert who took a close look at
| > how Zope authenticates users. The results were not good.
| > The main problem is that Zope stores the username and password in a
| > cookie in clear text (base64 encoded).
| *Zope* don't do that. It's the (infamous) CookieCrumbler products that
| is responsible for this horror.
Lots of UserFolders do this by default for compatibility reasons.
CookieCrumbler is just following a long tradition.
It's EXACTLY the same as what you get with Basic Auth.
exUserFolder has a mode uses a random hash for cookies (I'm sure other
UserFolders have this option as well). But as others have said, if
you're posting to a form and not using https, what's the point.
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -