On Fri, Oct 22, 2010 at 12:34 PM, Tres Seaver <tsea...@palladion.com> wrote:

> The obvious issue with a beyond-this-session auth cookie is that it
> enables anybody who can run that browser / profile to authenticate as
> the user being persisted.  I would consider this an unacceptable risk
> for any site where the authentication was intended for anything more
> than "keep spambots out" (i.e., you might as well be using OpenID).

Isn't this about the same risk as the browser saving the id/password
pair for the site? Certainly on a public or multiuser machine this
would not be a good idea and appropriate warnings should be given.

(it seems to me that all browsers do this and most users take advantage of this)
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to