Simon Groenewolt wrote: > Kees Jongenburger wrote: > >>You could append a random number to the username to get such an > >>identifier. Or use something like MD5 on username+password. > > > >hhm and on the server side use a md5 crack to find the user back again? > > No, store the key in the user object - just as you say below. > > > >for my project I store a generated key in the user object > >and use the userid/key combo for auto login > >and the username/password as login screen > > That was exactly what I meant :-)
So, that field is like an alternative password, and about as good, because if you have it, you only need to offer it as a cookie.... I think you don't use one of the existing mmbase security implementation then? Any how, I did similary for cloud-context seucrity, where I added a switch to make the md5 as good as the password itself. Then you can store the md5 in a cookie, and use it in stead of the password. But still this sabotages the actual goal of the md5 (therefore this option is off on default), because if the md5 is as good as the password, the md5 itself is then sensitive, and should not be exposed. Happily a md5 is considerably more difficult to learn by heart in a glance than an average password like 'amsterdam', so some justification can be found... Perhaps the cookie should contain an md5 of the user's IP, then the cookie is only useable on a certain IP, and then is perhaps considerably less sensitive. The user only needs to type her password then when start using another computer (and by that immediately invalidates all cookies in the internet-cafe's...).... Michiel -- Michiel Meeuwissen mihxil' Peperbus 111 MediaPark H'sum [] () +31 (0)35 6772979 nl_NL eo_XX en_US _______________________________________________ Developers mailing list [email protected] http://lists.mmbase.org/mailman/listinfo/developers
