Jörn Nettingsmeier wrote:
hi!
here are some thoughts about a possible future authentication scheme:
* all passwords are stored as hashes only.
* authentication happens via challenge/response so that no
plaintext-equivalent data travels across the network. this assumes some
client-side javascript code to compute the response (afaik, http digest
is no real alternative because it uses plaintext-equivalent hashes).
* the challenge changes all the time, so that replay attacks don't work.
+1
* additionally, we come up with some neat documentation about how to
enforce ssl connections for authoring and live ac login.
Is that documentation already online. I am very much interested in it.
We did also enforce SSL by using a separate RewriteRule. Do you use
anothter aproach?
BTW the securty stuff become even more important if you use e.g. an ldap
server for authentication where users use account which are not only
used for cms login!
jann
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
