On Wednesday 02 January 2013, Eric Covener wrote: > On Wed, Jan 2, 2013 at 4:02 PM, Stefan Fritsch <[email protected]> wrote: > > On Wednesday 02 January 2013, Jim Jagielski wrote: > >> For *real* improvement, wouldn't storing in socache be > >> the optimal method? > > > > Yes. I fear there may be some knee-jerk reaction like "oh my god, > > they are keeping all the passwords in plain-text". But if it > > would be limited to the shmcb socache provider, and if the > > passwords would be cleared after some time of not being used, I > > don't see any real security problems. Any other opinions? > > For authentication, can you already opt-in to effectively this with > the mod_authn_socache?
No, mod_authn_socache only caches the lookup of the password hash. It avoids having to open the password file/dbm/whatever but it still calls apr_password_validate() every time. Maybe it should be extended to also cache the real password and the result of apr_password_validate()?
