+-------[ bruno desthuilliers ]----------------------
| Cyrille Bonnet wrote:
| > Hi there,
| > 
| > I have been telling all my clients about how great Zope is for security:
| > fine-grained permissions, security framework, roles, etc.
| > 
| > Now, one of my clients has a security expert who took a close look at
| > how Zope authenticates users. The results were not good.
| > 
| > The main problem is that Zope stores the username and password in a
| > cookie in clear text (base64 encoded).
| *Zope* don't do that. It's the (infamous) CookieCrumbler products that
| is responsible for this horror.

Lots of UserFolders do this by default for compatibility reasons.
CookieCrumbler is just following a long tradition.

It's EXACTLY the same as what you get with Basic Auth.

exUserFolder has a mode uses a random hash for cookies (I'm sure other
UserFolders have this option as well). But as others have said, if 
you're posting to a form and not using https, what's the point.

Andrew Milton
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to