On Fri, Oct 22, 2010 at 12:34 PM, Tres Seaver <tsea...@palladion.com> wrote:
> The obvious issue with a beyond-this-session auth cookie is that it > enables anybody who can run that browser / profile to authenticate as > the user being persisted. I would consider this an unacceptable risk > for any site where the authentication was intended for anything more > than "keep spambots out" (i.e., you might as well be using OpenID). > Isn't this about the same risk as the browser saving the id/password pair for the site? Certainly on a public or multiuser machine this would not be a good idea and appropriate warnings should be given. (it seems to me that all browsers do this and most users take advantage of this) _______________________________________________ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
