Mailing List Archive

I wrote something a long time ago which did this. Download
http://www.issuetrackerproduct.com/Download#CookieCrumblerIssueTrackerProduct
And read some of the source> I think what you have to do is override
its setAuthCookie method somehow and there you can set 'expires' to be
a date far in the future.

On 21 October 2010 23:28, Brian Sullivan <briansullivan@gmail.com> wrote:
> Can I persist the password using CookieCrumbler (in addition to the
> user name)? Has anybody made this modification and can supply the
> modified product or code. I made a stab at it but obviously my level
> of understanding is not up to snuff 'cause I can't get it to work.
>
> What are the implications/problems that might result from doing this?
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> https://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  https://mail.zope.org/mailman/listinfo/zope-announce
>  https://mail.zope.org/mailman/listinfo/zope-dev )
>



--
Peter Bengtsson,
work www.fry-it.com
home www.peterbe.com
hobby www.issuetrackerproduct.com
fun crosstips.org
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

Thanks -- will have a look.

On Fri, Oct 22, 2010 at 3:43 AM, Peter Bengtsson <peter@fry-it.com> wrote:
> I wrote something a long time ago which did this. Download
> http://www.issuetrackerproduct.com/Download#CookieCrumblerIssueTrackerProduct
> And read some of the source> I think what you have to do is override
> its setAuthCookie method somehow and there you can set 'expires' to be
> a date far in the future.
>
> On 21 October 2010 23:28, Brian Sullivan <briansullivan@gmail.com> wrote:
>> Can I persist the password using CookieCrumbler (in addition to the
>> user name)? Has anybody made this modification and can supply the
>> modified product or code. I made a stab at it but obviously my level
>> of understanding is not up to snuff 'cause I can't get it to work.
>>
>> What are the implications/problems that might result from doing this?
>> _______________________________________________
>> Zope maillist  -  Zope@zope.org
>> https://mail.zope.org/mailman/listinfo/zope
>> **   No cross posts or HTML encoding!  **
>> (Related lists -
>>  https://mail.zope.org/mailman/listinfo/zope-announce
>>  https://mail.zope.org/mailman/listinfo/zope-dev )
>>
>
>
>
> --
> Peter Bengtsson,
> work www.fry-it.com
> home www.peterbe.com
> hobby www.issuetrackerproduct.com
> fun crosstips.org
>
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/21/2010 06:28 PM, Brian Sullivan wrote:
> Can I persist the password using CookieCrumbler (in addition to the
> user name)? Has anybody made this modification and can supply the
> modified product or code. I made a stab at it but obviously my level
> of understanding is not up to snuff 'cause I can't get it to work.
>
> What are the implications/problems that might result from doing this?

The obvious issue with a beyond-this-session auth cookie is that it
enables anybody who can run that browser / profile to authenticate as
the user being persisted. I would consider this an unacceptable risk
for any site where the authentication was intended for anything more
than "keep spambots out" (i.e., you might as well be using OpenID).


Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzBvS4ACgkQ+gerLs4ltQ50YwCgo8lBRu2rSifUDKllvWdXd90l
efMAnRjJH8rc+4nXBG9z4Fru4MXW+oq+
=UNOh
-----END PGP SIGNATURE-----

_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )

On Fri, Oct 22, 2010 at 12:34 PM, Tres Seaver <tseaver@palladion.com> wrote:


> The obvious issue with a beyond-this-session auth cookie is that it
> enables anybody who can run that browser / profile to authenticate as
> the user being persisted.  I would consider this an unacceptable risk
> for any site where the authentication was intended for anything more
> than "keep spambots out" (i.e., you might as well be using OpenID).
>

Isn't this about the same risk as the browser saving the id/password
pair for the site? Certainly on a public or multiuser machine this
would not be a good idea and appropriate warnings should be given.


(it seems to me that all browsers do this and most users take advantage of this)
_______________________________________________
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )