-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/21/2010 06:28 PM, Brian Sullivan wrote: > Can I persist the password using CookieCrumbler (in addition to the > user name)? Has anybody made this modification and can supply the > modified product or code. I made a stab at it but obviously my level > of understanding is not up to snuff 'cause I can't get it to work. > > What are the implications/problems that might result from doing this?
The obvious issue with a beyond-this-session auth cookie is that it enables anybody who can run that browser / profile to authenticate as the user being persisted. I would consider this an unacceptable risk for any site where the authentication was intended for anything more than "keep spambots out" (i.e., you might as well be using OpenID). Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzBvS4ACgkQ+gerLs4ltQ50YwCgo8lBRu2rSifUDKllvWdXd90l efMAnRjJH8rc+4nXBG9z4Fru4MXW+oq+ =UNOh -----END PGP SIGNATURE----- _______________________________________________ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
