On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote: > In going to native DB accounts, one of the difficulties we have to resolve > is how to effectively authenticate serial requests. The major problem has > to do with how the password to the database is stored. I am going to > suggest that we move to using HTTP authentication as the primary mechanism > of authentication and automate this from the login screen where possible > using Javascript.
I trust we will hash the password somehow before transmitting it from the browser... A secondary method could be offered where the passwords > are stored in the db, but this has more serious security concerns associated > and therefore I would suggest that we do not go that route. > > The major issue with storing the information in the session object is that a > database superuser could review all passwords of all currently logged in > users. I don't think that this is acceptable as it both allows a set of > trusted individuals to bypass security of the db and also undermines basic > security mechanisms of PostgreSQL as a whole (which we rely on). If anyone > has better ideas, I am open to them. However, this will also put us within > striking distance of transparent single signon support (for things like > Kerberos). > > The big disadvantage is that some browsers may handle authentication > differently and we will have to address this. > > Best Wishes, > Chris Travers > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Ledger-smb-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel > > -- Chris Nighswonger Network & Systems Director Foundations Bible College & Seminary www.foundations.edu www.fbcradio.org [EMAIL PROTECTED] V:910-892-8761 C:919-820-5473 ------------- NOTICE: The information contained in this electronic mail message is intended only for the use of the intended recipient, and may also be protected by the Electronic Communications Privacy Act, 18 USC Sections 2510-2521. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please reply to the sender, and delete the original message. Thank you. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Ledger-smb-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
