On Mon, Nov 3, 2014 at 6:58 AM, Tim Kuijsten <[email protected]> wrote: > Matt schreef op 02-11-14 om 22:01: >> Having said that, it's not a terrible idea to implement this kind of >> thing, it just seems like you may be over-thinking it. It's far more >> important to get the basics of security right in your application, and >> most people don't spend nearly enough time on that.
Tim, is your server storing passwords in plain text? If so, that's probably your biggest security problem. And how are you dropping privileges in your child? If the child can get the privileges back, you have separation of responsibility, but not separation of privileges. And in terms of future-proofing your architecture, you might consider implementing user-authentication as an arbitrary separate process, not the parent, to give you the ability to use different authentication schemes. Have you considered OAUTH, so that passwords don't flow through your server at all? -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CACmrRmTvC-n76ZoR9M%2B9mc8btgd_ejqjBTMEAXYWAAELv0Ad%2BQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
