[Zope-CMF] Re: [CPS-devel] Plugin for PluggableUserFolder

Lennart Regebro regebro at nuxeo.com
Thu Oct 7 09:10:42 EDT 2004


Jean-Marc Orliaguet wrote:
> since users get authenticated once per session:
> - is there any reason to store the password at all in a class or in a 
> cookie or in RAM or in the session when authentication has succeeded and 
> when this is done outside Zope (e.g. krb5, AD, ...)?
> - why not give a ticket to the user that expires after some time (maybe 
> save it in a cookie) and have Zope trust the ticket?

You can do that, but it enables cookie-theft. It's safer than storing 
the username and password in the cookie.

> Basically, even if the password is stored in the world's safest place, 
> why store it at all if it is not going to be used again during the session?

Which is why I only store the username, but in a safe place.


More information about the Zope-CMF mailing list