[Catalyst] authentication

[shawn wilson]

Good point, I'll read up into the appropriate way to install cc numbers (I'm
sure there's more on pci than I care to know) which should get me to where I
want to be. I'll look into how many email servers and services support oauth
and see how well that might work but I have my doubts. Thanks for the help.
On Mar 12, 2011 4:06 PM, "Peter Edwards" <peter at dragonstaff.co.uk> wrote:
> Check out whether you can use OAuth as a limited form of permission
without
> using their password. Otherwise you are in
> storing-credit-card-nos-on-my-server territory (not a happy place)
> On 12 Mar 2011 20:33, "shawn wilson" <ag4ve.us at gmail.com> wrote:
>> On Sat, Mar 12, 2011 at 3:08 PM, Peter Edwards <peter at dragonstaff.co.uk
>>wrote:
>>
>>> On 12 March 2011 19:41, shawn wilson <ag4ve.us at gmail.com> wrote:
>>>
>>>> i am working on an app that allows users to access (and do some things)
>>>> with email. however, i want a method of storing their password that
> would
>>>> require them accessing the site in order for me to be able to decrypt.
i
> was
>>>> thinking of encrypting it based on the key that
>>>> Catalyst::Plugin::Authentication uses to store credentials on their
end.
> i
>>>> also thought that maybe i could store some other field in that cookie
> that
>>>> maybe had a seed.
>>>>
>>>> however, i was hoping that maybe someone would point out that this
could
>>>> be done totally internal to that authentication module or maybe another
>>>> module does this? and maybe there's some sort of flaw in my ideas? or
> maybe
>>>> someone on here has done something similar they'd be willing to share?
>>>>
>>>>
>>> You haven't really given enough details of what you want to do for
people
>>> to be able to give a good and secure answer.
>>> In general you need to create a token based upon a secure authentication
>>> (like the way OAuth does) and use that.
>>> However, it's not clear whether your token is passed in clear text or a
>>> breakable session (in which case you need a one time key) or something
> else.
>>> Of course email itself is insecure unless over SSL and even then a
> recorded
>>> session could be broken in time.
>>> Regards, Peter (with his black hat on)
>>>
>>>
>> i guess my main thing was a way to say to a user, you can give me the
>> password to your email, i don't know what it is and have no way of easily
>> obtaining it unless you login. i don't think that keeping a plain text of
>> their pass in their cookie is good (obviously). email itself is insecure,
>> however i think most people do login to their email securely.
>>
>> I think what i'm looking for is some type of one way hash that depends on
>> something i can get from their session.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110312/648eb=
fcb/attachment.htm