[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
- Subject: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
- From: "Chris Nighswonger" <..hidden..>
- Date: Tue, 2 Oct 2007 07:50:43 -0400
On 10/1/07, Chris Travers <..hidden..> wrote:
>
>
> On 10/1/07, Joshua D. Drake <..hidden..> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Chris Travers wrote:
> > > On 10/1/07, Joshua D. Drake <..hidden..> wrote:
> > >> -
> > >>
> > >> passwords will not be stored as plain text... they will be an encrypted
> > >> hash. I am not understanding the problem.
> > >
> > >
> > > Log in to LedgerSMB with your DB username and password.
> > >
> > > Click on a link. How does the application know what password to use to
> log
> > > into the db?
> >
> > You hash and compare?
>
>
> Ok, maybe I am not being clear.
>
> To log in on the next page you need to provide PostgreSQL with a username
> and password. How do we derive what password we send to PostgreSQL and
> where do we store this (it would have to be stored in the clear somewhere
> since we have to pass it via the DBI connect routine)?
Maybe hash it in the Java script (or whatever method you choose),
store the hash in a cookie, transmit the hash, have the code unhash
and pass the password to the DBI connect routine. Thus the only place
the password is in plain text is in the connect routine. (One must
wonder why the connect routine is not written to take hashed passwords
to begin with.)
Regards,
Chris