[albatross-users] Encrypting passwords in a session
Dave Cole
djc at object-craft.com.au
Sat Jul 12 13:45:44 EST 2003
>>>>> "Eric" == Eric S Johansson <esj at harvee.org> writes:
Eric> Eric S. Johansson wrote:
>> I'll think about the class overnight and post suggestion in the
>> morning.
That would be good.
Eric> Simple_authenticated_application would need to additional
Eric> arguments. First is the login screen URL, second is the
Eric> lifetime of an authentication token. Default values should be
Eric> available for both.
Eric> It also seems that we wouldn't need much in the way of
Eric> additional:
Eric> logout_user(): invalidates login token for this user and removes
Eric> token from HTML output stream. who_is_user(): yields username
Eric> of user. (Note: Login process should also set remote_user
Eric> environment variable) login_duration(): (would be nice) yields
Eric> time since user login
Eric> all of the checking for a valid login, redirection to login
Eric> screen etc. would all happen invisibly to the user as part of
Eric> the new class which means the application code really doesn't
Eric> need to change.
I am looking forward to seeing the sample. Adding something like this
to the documentation would be a very good thing.
Eric> using the design for authentication tokens shown in section 4 of
Eric> http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf, we don't need to
Eric> have any persistent server side session state if we're willing
Eric> to accept some of the trade-offs (i.e. difficulty in terminating
Eric> authentication authorization before expiration)
Thanks for the URL. I have some more reading to do...
- Dave
--
http://www.object-craft.com.au
More information about the Albatross-users
mailing list