On Fri, Oct 22, 2010 at 12:34 PM, Tres Seaver <tsea...@palladion.com> wrote:
> The obvious issue with a beyond-this-session auth cookie is that it
> enables anybody who can run that browser / profile to authenticate as
> the user being persisted. I would consider this an unacceptable risk
> for any site where the authentication was intended for anything more
> than "keep spambots out" (i.e., you might as well be using OpenID).
Isn't this about the same risk as the browser saving the id/password
pair for the site? Certainly on a public or multiuser machine this
would not be a good idea and appropriate warnings should be given.
(it seems to me that all browsers do this and most users take advantage of this)
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -