[Catalyst] authentication
Peter Edwards
peter at dragonstaff.co.uk
Sat Mar 12 21:03:07 GMT 2011
Check out whether you can use OAuth as a limited form of permission without
using their password. Otherwise you are in
storing-credit-card-nos-on-my-server territory (not a happy place)
On 12 Mar 2011 20:33, "shawn wilson" <ag4ve.us at gmail.com> wrote:
> On Sat, Mar 12, 2011 at 3:08 PM, Peter Edwards <peter at dragonstaff.co.uk
>wrote:
>
>> On 12 March 2011 19:41, shawn wilson <ag4ve.us at gmail.com> wrote:
>>
>>> i am working on an app that allows users to access (and do some things)
>>> with email. however, i want a method of storing their password that
would
>>> require them accessing the site in order for me to be able to decrypt. i
was
>>> thinking of encrypting it based on the key that
>>> Catalyst::Plugin::Authentication uses to store credentials on their end.
i
>>> also thought that maybe i could store some other field in that cookie
that
>>> maybe had a seed.
>>>
>>> however, i was hoping that maybe someone would point out that this could
>>> be done totally internal to that authentication module or maybe another
>>> module does this? and maybe there's some sort of flaw in my ideas? or
maybe
>>> someone on here has done something similar they'd be willing to share?
>>>
>>>
>> You haven't really given enough details of what you want to do for people
>> to be able to give a good and secure answer.
>> In general you need to create a token based upon a secure authentication
>> (like the way OAuth does) and use that.
>> However, it's not clear whether your token is passed in clear text or a
>> breakable session (in which case you need a one time key) or something
else.
>> Of course email itself is insecure unless over SSL and even then a
recorded
>> session could be broken in time.
>> Regards, Peter (with his black hat on)
>>
>>
> i guess my main thing was a way to say to a user, you can give me the
> password to your email, i don't know what it is and have no way of easily
> obtaining it unless you login. i don't think that keeping a plain text of
> their pass in their cookie is good (obviously). email itself is insecure,
> however i think most people do login to their email securely.
>
> I think what i'm looking for is some type of one way hash that depends on
> something i can get from their session.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110312/f54c3=
3e9/attachment.htm
More information about the Catalyst
mailing list