[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Security fix that started all this



Oops, list is not set to reply-to list. BTW, I know some people have
strong objections to setting reply-to list, but it is my preference. I
don't want to force upon everyone though if the concensus is to not do
so. Any thoughts?

Cheers,

Chris

---------- Forwarded message ----------
Subject: Re: [Ledger-smb-devel] Security fix that started all this

On 9/8/06, Tony Fraser <..hidden..> wrote:
If the plan is to actually use server side sessions to store data in the
future then by all means let's refine what we have now. But I just want
to ask the question: Do we really want server side per session storage
or was it just the way that seemed easiest to solve the problem at hand?

The plan is to move all the files in users/ into a central database,
and the same for user modified templates and css. The advantages this
has are:

- the server doesn't need file permissions anywhere anymore
- a goof in an apache config won't expose members or username.conf
- portability issues in dealing with filesystems (allowed chars, case,
etc..) are all gone
- 3rd party tools to modify/maintain user content only needs to talk
postgres, no file

Also, we can move to a plugable authentication and support other
mechanisms (LDAP, Basic HTTP Auth, Kerberos, etc..) and store user
data in the db.

Cheers,

Chris