----- Original Message ----- > On Wednesday 02 January 2013, Eric Covener wrote: > > On Wed, Jan 2, 2013 at 4:02 PM, Stefan Fritsch <s...@sfritsch.de> > wrote: > > > On Wednesday 02 January 2013, Jim Jagielski wrote: > > >> For *real* improvement, wouldn't storing in socache be > > >> the optimal method? > > > > > > Yes. I fear there may be some knee-jerk reaction like "oh my god, > > > they are keeping all the passwords in plain-text". But if it > > > would be limited to the shmcb socache provider, and if the > > > passwords would be cleared after some time of not being used, I > > > don't see any real security problems. Any other opinions? > > > > For authentication, can you already opt-in to effectively this with > > the mod_authn_socache? > > No, mod_authn_socache only caches the lookup of the password hash. It > avoids having to open the password file/dbm/whatever but it still > calls apr_password_validate() every time. Maybe it should be extended > to also cache the real password and the result of > apr_password_validate()? >
Stupid question time: Why can't we store the password *hash* in the socache instead of the plain-text password? i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
