[Catalyst] authentication
Peter Edwards
peter at dragonstaff.co.uk
Sat Mar 12 20:08:31 GMT 2011
On 12 March 2011 19:41, shawn wilson <ag4ve.us at gmail.com> wrote:
> i am working on an app that allows users to access (and do some things)
> with email. however, i want a method of storing their password that would
> require them accessing the site in order for me to be able to decrypt. i =
was
> thinking of encrypting it based on the key that
> Catalyst::Plugin::Authentication uses to store credentials on their end. i
> also thought that maybe i could store some other field in that cookie that
> maybe had a seed.
>
> however, i was hoping that maybe someone would point out that this could =
be
> done totally internal to that authentication module or maybe another modu=
le
> does this? and maybe there's some sort of flaw in my ideas? or maybe some=
one
> on here has done something similar they'd be willing to share?
>
>
You haven't really given enough details of what you want to do for people to
be able to give a good and secure answer.
In general you need to create a token based upon a secure authentication
(like the way OAuth does) and use that.
However, it's not clear whether your token is passed in clear text or a
breakable session (in which case you need a one time key) or something else.
Of course email itself is insecure unless over SSL and even then a recorded
session could be broken in time.
Regards, Peter (with his black hat on)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110312/a2f7a=
e75/attachment.htm
More information about the Catalyst
mailing list