[Catalyst] authentication
shawn wilson
ag4ve.us at gmail.com
Sat Mar 12 20:31:22 GMT 2011
On Sat, Mar 12, 2011 at 3:08 PM, Peter Edwards <peter at dragonstaff.co.uk>wro=
te:
> On 12 March 2011 19:41, shawn wilson <ag4ve.us at gmail.com> wrote:
>
>> i am working on an app that allows users to access (and do some things)
>> with email. however, i want a method of storing their password that would
>> require them accessing the site in order for me to be able to decrypt. i=
was
>> thinking of encrypting it based on the key that
>> Catalyst::Plugin::Authentication uses to store credentials on their end.=
i
>> also thought that maybe i could store some other field in that cookie th=
at
>> maybe had a seed.
>>
>> however, i was hoping that maybe someone would point out that this could
>> be done totally internal to that authentication module or maybe another
>> module does this? and maybe there's some sort of flaw in my ideas? or ma=
ybe
>> someone on here has done something similar they'd be willing to share?
>>
>>
> You haven't really given enough details of what you want to do for people
> to be able to give a good and secure answer.
> In general you need to create a token based upon a secure authentication
> (like the way OAuth does) and use that.
> However, it's not clear whether your token is passed in clear text or a
> breakable session (in which case you need a one time key) or something el=
se.
> Of course email itself is insecure unless over SSL and even then a record=
ed
> session could be broken in time.
> Regards, Peter (with his black hat on)
>
>
i guess my main thing was a way to say to a user, you can give me the
password to your email, i don't know what it is and have no way of easily
obtaining it unless you login. i don't think that keeping a plain text of
their pass in their cookie is good (obviously). email itself is insecure,
however i think most people do login to their email securely.
I think what i'm looking for is some type of one way hash that depends on
something i can get from their session.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110312/f9825=
35f/attachment.htm
More information about the Catalyst
mailing list