I wrote a working solution today for a challenge, I just wanted throw around some ideas before submitting a patch - even though it's probably a pointless gesture this close to a major merge. Here's a summary:
First of all, none of this requires client side encryption but it's used if Javascript is on. A new password encryption method using psuedo-random salt based on username was required. This way the salt can be calculated client-side before login. Every login attempt, a unique key is stored in the user's session and sent with the login form as a hidden form item. JS works out the hash - sha1(pw + username_salt). Then rather than sending the hash stored in the database, the hash is hashed for extra security: - random_salt created - sha1(pw+onetime_login_salt+random_salt) - random_salt+'$'+hashed_hash stored back in the hidden form item - password set to '' So, thoughts? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
