[TurboGears] Re: Tweak to identity

[Jeff Watkins]

On 6 Mar, 2006, at 2:53 am, Mike Orr wrote: Another naive comment by someone who hasn't used Identity.  Don't people log in at a specific URL?  Isn't that enough to verify whether the username/password fields are "ours" or not?  Or the config file could specify which fields to look for. There are two ways to log into a Web application using Identity. One, hit an explicit login URL which serves up a form. You fill out the form and submit it. Identity pulls the user_name and password from the form and logs you in. Your controller method simply checks to see whether the current visitor is anonymous. Two, you're controller method is set to require certain permissions. The current visitor doesn't have those permissions, so TG displays your login page *at the same URL* as the protected resource. When the visitor submits his credentials, Identity pulls the user_name and password from the form and logs the visitor in. Your protected controller is then called again (and this may repeat if the visitor's credentials don't give him access to this controller). The tg_identity_login form variable is intended to differentiate scenario 2 from any other form that happens to include user_name and password (like a registration form). The main problem with the hidden field is it exposes security-sensitive information; namely, which authentication module you're using.  So a creep can look up "tg_identify_login" on a creepy website and find out (1) this is turbogears.Identity, and (2) here are the top ten exploits against it. Obscurity isn't the security method we should be going for. Ideally, we should be able to put a big badge on TG-based Web applications and know that things are secure. And there are probably a few other little tell-tales in TG-based apps that would give away the framework: MochiKit coming from tg_js springs to mind. -- Jeff Watkins http://newburyportion.com/ "Computers are like Old Testament gods; lots of rules and no mercy." -- Joseph Campbell --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to turbogears@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~----------~----~----~----~------~----~------~--~---