[albatross-users] Encrypting passwords in a session
Eric S. Johansson
esj at harvee.org
Thu Jul 10 23:00:13 EST 2003
Eric S. Johansson wrote:
> I'll think about
> the class overnight and post suggestion in the morning.
Simple_authenticated_application would need to additional arguments. First is
the login screen URL, second is the lifetime of an authentication token.
Default values should be available for both.
It also seems that we wouldn't need much in the way of additional:
logout_user(): invalidates login token for this user and removes token from HTML
output stream.
who_is_user(): yields username of user. (Note: Login process should also set
remote_user environment variable)
login_duration(): (would be nice) yields time since user login
all of the checking for a valid login, redirection to login screen etc. would
all happen invisibly to the user as part of the new class which means the
application code really doesn't need to change.
using the design for authentication tokens shown in section 4 of
http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf, we don't need to have any
persistent server side session state if we're willing to accept some of the
trade-offs (i.e. difficulty in terminating authentication authorization before
expiration)
make sense?
---eric
More information about the Albatross-users
mailing list