:re from rt > So use salted_hash which uses Crypt::SaltedHash. > Or, set the salt to a random value on each request.
I think you're missing something -- or I am. How do you propose to set it to a different value on each request if if the salt is being read from the configuration and not the call to authenticate? Should I modify the global configuration of C:P:A from the Controller? That sounds hackish. Moreover, the traditional method of salting is to store the salt in the DB? If this is used, should I retrieve the salt with the Authentication plugin's model? That would sound silly. Crypt::SaltHash makes the salt a function of the username, I haven't looked too much into the implementation but it certainly isn't the normal method of salting -- though it most probably helps some level. The obvious solution to this will be to have a `salt_field`, that when filled out retrieves the salt from the userinfo. I'll see about a patch tomorrow. -- Evan Carroll System Lord of the Internets http://www.evancarroll.com _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/