Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

[Ashley J Gittins <..hidden..>]

As I understand it (and I am pretty likely to get this wrong so feel free to 
point that out) the only reason we have to send the user/pass on every http 
request is because of the change to using postgresql to authenticate every 
request (ie, server-side, LSMB logs into psql as the actual user), therefore 
requiring the password to do so.

I remember trying to make the point some time ago that maybe LSMB should 
connect as it's own user, then use postgres' role-switching abilities to 
become the connected user after connection. As I understand it this can be 
done without having to supply the user's password.

Then, you have the advantage of not needing the plaintext password for every 
request (since LSMB can track a list of valid sessions and logs into psql 
as "itself"), and we can still use per-role access restrictions on tables etc 
in psql, since lsmb will switch roles to that user to perform data 
operations.

As for Chris' point about the initial login being just as dangerous as the 
on-going requests I think it's a good one.

Additionally, I think using http-auth would be a step backwards, given that 
some browsers are pretty unpredictable with the credentials (tell me a way to 
make a browser reliably "forget" credentials? afaik, there isn't one), so 
shared computers are more vulnerable to left-over logins using http-auth than 
those based on sessions.

-- 
Regards,
	Ashley J Gittins
	web: 	http://www.purple.dropbear.id.au
	jabber: ..hidden..