It should be possible to provide a fallback to go with unencrypted authentication @ server side depending on whether a flag set at client side by javascript (using cookie or hidden field).
Anyway, the only limitation of this technique i see is it can't be used in cases where the oneway hashing alhorithm to encrypt password @ server side is not md5, that in turn will limit the versatile nature of choosing password encryption mechanism provided by a web development framework like django. Regards, M N Islam Shihan On May 3, 2009, at 10:52 AM, Jerome Leclanche <[email protected]> wrote: > > Is there a fallback to normal auth possible if js is not running? I > like the idea, but preventing someone who doesn't have js enabled to > register/auth is pretty harsh. > > On Sun, May 3, 2009 at 6:27 AM, Paul Johnston <[email protected]> > wrote: >> >> Hi, >> >> Many web sites have a user name and password login system, and do not >> use SSL. As a consequence, users' passwords are transmitted over the >> internet unencrypted. This puts them at risk, particularly if the >> user >> is on a shared ethernet segment, or open wireless network. >> >> For many years I have provided a JavaScript MD5 library (http:// >> pajhome.org.uk/crypt/md5/), which can be used to perform a challenge- >> response login. This avoids passwords being transmitted unencrypted, >> although the security is not as strong as SSL. A number of web sites >> currently use this technique; for some years Yahoo did, although they >> now have SSL login. >> >> However, the use of JavaScript MD5 is not widespread. I think this is >> because few authentication libraries support it. It is possible for a >> library to provide JavaScript MD5 as an authentication mechanism, >> with >> the details hidden from the application developer. In fact, it's >> quite >> easy to implement, and there is a lot of guidance on my site. >> >> So, this is a call to the authors of all web authentication >> libraries. >> Add JavaScript MD5 as an authentication mechanism. And then let me >> know, so I can link to you from my site. If you need any help >> implementing it, drop me a line, I'll do what I can. >> >> I think supporting this mode would be a big selling point for any >> authentication library. And if support becomes widespread, the >> internet becomes a little bit safer for everyone. >> >> Best wishes, >> >> Paul >> >>> >> > > > > -- > Adys > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
