[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Credentials

Hi Brian,

On Thu, Aug 1, 2013 at 5:01 PM, Brian Wolf <..hidden..> wrote:
To ease development in other programming languages (Python in my case), it's crucial to understand how to obtain credentials from the system after a user has successfully logged on.  I can see there is a Perl subroutine called get_credentials() which examines the basic authentication.  But, reading Perl code (and translating it into Python) is not that simple.

Can someone give me some guidance on how to obtain the user's password once logged in?  If it is not already available (and I mean in its original, unhashed format), can it be added safely to a cookie?  Perhaps if encrypted (with, say, blowfish or some modern encryption)?

LedgerSMB uses the Authorization header in the HTTP protocol to transfer the user name and password. In order to be able to access the password and user name in clear text, the Basic authentication scheme *has* to be used.

In pseudo code, this is what get_credentials() does:

 * Find the HTTP_AUTHORIZATION environment variable's value
 * Return HTTP error code 401 if the variable has no value/ doesn't exist (in that case, code exits here)
 * Remove the leading "Basic " string as per the example given in http://en.wikipedia.org/wiki/Basic_access_authentication#Client_side
 * Base64-decode the remaining string
 * Split the decoded string at the colon (':'), where the user name is the first value returned with the second being the password



Brian Wolf
Email: ..hidden..
Try out Activus Secure Payments™, our recurring payments application.

Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
Ledger-smb-devel mailing list



http://efficito.com -- Hosted accounting and ERP.
Robust and Flexible. No vendor lock-in.