[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
- Subject: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
- From: "Joshua D. Drake" <..hidden..>
- Date: Wed, 03 Oct 2007 10:12:54 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris Travers wrote:
> On 10/2/07, David Tangye <..hidden..> wrote:
>> On 10/3/07, Ashley J Gittins <..hidden..> wrote:
>>> As I understand it (and I am pretty likely to get this wrong so feel
>>> free to
>>> point that out) the only reason we have to send the user/pass on every
>>> http
>>> request is because of the change to using postgresql to authenticate
>>> every
>>> request (ie, server-side, LSMB logs into psql as the actual user),
>>> therefore
>>> requiring the password to do so.
>>
>> Let me try to answer this: see if I am right. (Chris?)
>> I am guessing that the user/password and any other session data is sent on
>> every http request is to code in a RESTful way, ie with AJAX. This way a
>> session's state is kept within the session, ie past back and forward with
>> the data. The alternative is to either hold session state info on the
>> server, in the hope that the session will be needed by future client
>> requests, and then have to code stuff to manage this data, eg when to get
>> rid of it, or else pass server-side info as cookies and code client side
>> stuff to manage this data when its not needed.
>
> That is the thing though We are not using a single db user account. Every
> user is represented by a DB user account.
We are making this far more complicated that it needs to be. Let's just
make it so ssl is part of the ledgersmb requirements and include the
docs to handle that. We can even include a simple wizard that will
create the postgresql ssl stuff.
Further, we should make it part of the requirements that a user use
https to talk to lsmb as well.
If the user then decides not to run ssl, it is there problem.
Joshua D. Drake
>
> Best Wishes,
> Chris Travers
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ledger-smb-devel mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
- --
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 24x7/Emergency: +1.800.492.2240
PostgreSQL solutions since 1997 http://www.commandprompt.com/
UNIQUE NOT NULL
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHA82WATb/zqfZUUQRAiBvAKCpiKroIHYtPWn3zlm2mMDF6P0OQQCfeFhv
Fd1u7qN9Kw9DbR3crLUPj98=
=BdAb
-----END PGP SIGNATURE-----