[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
- Subject: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
- From: "Chris Nighswonger" <..hidden..>
- Date: Tue, 2 Oct 2007 11:59:52 -0400
On 10/2/07, Joshua D. Drake <..hidden..> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chris Nighswonger wrote:
> > On 10/1/07, Chris Travers <..hidden..> wrote:
>
> > Maybe hash it in the Java script (or whatever method you choose),
> > store the hash in a cookie, transmit the hash, have the code unhash
> > and pass the password to the DBI connect routine. Thus the only place
> > the password is in plain text is in the connect routine. (One must
> > wonder why the connect routine is not written to take hashed passwords
> > to begin with.)
>
> Or perhaps just require ssl connectivity to postgresql.
I had this thought as well, but was not sure whether this was
considered part of deployment of LedgerSMB rather than coding and
therefore the responsibility of the installer/admin. In any case ssl
adds more security to the dataflow in general, whether or not it is
the solution in this case.
Chris