On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chris Travers wrote: > > On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote: > >> On 10/3/07, Ashley J Gittins <[EMAIL PROTECTED]> wrote: > >>> As I understand it (and I am pretty likely to get this wrong so feel > >>> free to > >>> point that out) the only reason we have to send the user/pass on every > >>> http > >>> request is because of the change to using postgresql to authenticate > >>> every > >>> request (ie, server-side, LSMB logs into psql as the actual user), > >>> therefore > >>> requiring the password to do so. > >> > >> Let me try to answer this: see if I am right. (Chris?) > >> I am guessing that the user/password and any other session data is sent on > >> every http request is to code in a RESTful way, ie with AJAX. This way a > >> session's state is kept within the session, ie past back and forward with > >> the data. The alternative is to either hold session state info on the > >> server, in the hope that the session will be needed by future client > >> requests, and then have to code stuff to manage this data, eg when to get > >> rid of it, or else pass server-side info as cookies and code client side > >> stuff to manage this data when its not needed. > > > > > That is the thing though We are not using a single db user account. Every > > user is represented by a DB user account. > > We are making this far more complicated that it needs to be. Let's just > make it so ssl is part of the ledgersmb requirements and include the > docs to handle that. We can even include a simple wizard that will > create the postgresql ssl stuff. > > Further, we should make it part of the requirements that a user use > https to talk to lsmb as well. > > If the user then decides not to run ssl, it is there problem.
I second this. It really reduces the surface area for attack. Chris ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Ledger-smb-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
