[albatross-users] Encrypting passwords in a session

[Dave Cole]

>>>>> "Eric" == Eric S Johansson <esj at harvee.org> writes:

Eric> Eric S. Johansson wrote:
>> I'll think about the class overnight and post suggestion in the
>> morning.

That would be good.

Eric> Simple_authenticated_application would need to additional
Eric> arguments.  First is the login screen URL, second is the
Eric> lifetime of an authentication token. Default values should be
Eric> available for both.

Eric> It also seems that we wouldn't need much in the way of
Eric> additional:

Eric> logout_user(): invalidates login token for this user and removes
Eric> token from HTML output stream.  who_is_user(): yields username
Eric> of user.  (Note: Login process should also set remote_user
Eric> environment variable) login_duration(): (would be nice) yields
Eric> time since user login

Eric> all of the checking for a valid login, redirection to login
Eric> screen etc. would all happen invisibly to the user as part of
Eric> the new class which means the application code really doesn't
Eric> need to change.

I am looking forward to seeing the sample.  Adding something like this
to the documentation would be a very good thing.

Eric> using the design for authentication tokens shown in section 4 of
Eric> http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf, we don't need to
Eric> have any persistent server side session state if we're willing
Eric> to accept some of the trade-offs (i.e. difficulty in terminating
Eric> authentication authorization before expiration)

Thanks for the URL.  I have some more reading to do...

- Dave

-- 
http://www.object-craft.com.au