[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Subject: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
From: "Chris Nighswonger" <..hidden..>
Date: Tue, 2 Oct 2007 07:43:42 -0400

On 10/1/07, Chris Travers <..hidden..> wrote:
> In going to native DB accounts, one of the difficulties we have to resolve
> is how to effectively authenticate serial requests.  The major problem has
> to do with how the password to the database is stored.  I am going to
> suggest that we move to using HTTP authentication as the primary mechanism
> of authentication and automate this from the login screen where possible
> using Javascript.

I trust we will hash the password somehow before transmitting it from
the browser...

  A secondary method could be offered where the passwords
> are stored in the db, but this has more serious security concerns associated
> and therefore I would suggest that we do not go that route.
>
> The major issue with storing the information in the session object is that a
> database superuser could review all passwords of all currently logged in
> users.  I don't think that this is acceptable as it both allows a set of
> trusted individuals to bypass security of the db and also undermines basic
> security mechanisms of PostgreSQL as a whole (which we rely on).  If anyone
> has better ideas, I am open to them.  However, this will also put us within
> striking distance of transparent single signon support (for things like
> Kerberos).
>
> The big disadvantage is that some browsers may handle authentication
> differently and we will have to address this.
>
> Best Wishes,
> Chris Travers
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Ledger-smb-devel mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
>
>


-- 
Chris Nighswonger
Network & Systems Director
Foundations Bible College & Seminary
www.foundations.edu
www.fbcradio.org
..hidden..
V:910-892-8761
C:919-820-5473
-------------
NOTICE: The information contained in this electronic mail message is
intended only for the use of the intended recipient, and may also be
protected by the Electronic Communications Privacy Act, 18 USC
Sections 2510-2521. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please reply to the
sender, and delete the original message. Thank you.

References:
- Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers

Prev by Date: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Next by Date: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Previous by thread: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Next by thread: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Index(es):
- Date
- Thread