-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/21/2010 06:28 PM, Brian Sullivan wrote:
> Can I persist the password using CookieCrumbler (in addition to the
> user name)? Has anybody made this modification and can supply the
> modified product or code. I made a stab at it but obviously my level
> of understanding is not up to snuff 'cause I can't get it to work.
> 
> What are the implications/problems that might result from doing this?

The obvious issue with a beyond-this-session auth cookie is that it
enables anybody who can run that browser / profile to authenticate as
the user being persisted.  I would consider this an unacceptable risk
for any site where the authentication was intended for anything more
than "keep spambots out" (i.e., you might as well be using OpenID).


Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzBvS4ACgkQ+gerLs4ltQ50YwCgo8lBRu2rSifUDKllvWdXd90l
efMAnRjJH8rc+4nXBG9z4Fru4MXW+oq+
=UNOh
-----END PGP SIGNATURE-----

_______________________________________________
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to