[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Travers wrote:
> On 10/2/07, David Tangye <..hidden..> wrote:
>> On 10/3/07, Ashley J Gittins <..hidden..> wrote:
>>> As I understand it (and I am pretty likely to get this wrong so feel
>>> free to
>>> point that out) the only reason we have to send the user/pass on every
>>> http
>>> request is because of the change to using postgresql to authenticate
>>> every
>>> request (ie, server-side, LSMB logs into psql as the actual user),
>>> therefore
>>> requiring the password to do so.
>>
>> Let me try to answer this: see if I am right. (Chris?)
>> I am guessing that the user/password and any other session data is sent on
>> every http request is to code in a RESTful way, ie with AJAX. This way a
>> session's state is kept within the session, ie past back and forward with
>> the data. The alternative is to either hold session state info on the
>> server, in the hope that the session will be needed by future client
>> requests, and then have to code stuff to manage this data, eg when to get
>> rid of it, or else pass server-side info as cookies and code client side
>> stuff to manage this data when its not needed.

> 
>  That is the thing though  We are not using a single db user account.  Every
> user is represented by a DB user account.

We are making this far more complicated that it needs to be. Let's just
make it so ssl is part of the ledgersmb requirements and include the
docs to handle that. We can even include a simple wizard that will
create the postgresql ssl stuff.

Further, we should make it part of the requirements that a user use
https to talk to lsmb as well.

If the user then decides not to run ssl, it is there problem.

Joshua D. Drake


> 
> Best Wishes,
> Chris Travers
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ledger-smb-devel mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel


- --

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564   24x7/Emergency: +1.800.492.2240
PostgreSQL solutions since 1997  http://www.commandprompt.com/
			UNIQUE NOT NULL
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHA82WATb/zqfZUUQRAiBvAKCpiKroIHYtPWn3zlm2mMDF6P0OQQCfeFhv
Fd1u7qN9Kw9DbR3crLUPj98=
=BdAb
-----END PGP SIGNATURE-----