-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Malthe Borch wrote: > 2009/5/12 Paul Johnston <p...@pajhome.org.uk>: >> I am going to have a go at adding a new authentication method to >> repoze.who. It's like the standard forms authentication, but uses >> JavaScript hashing to protect the password as it is transmitted. > > Excellent; there's been talking on this list previously about such a > mechanism. > >> I know many people are using my scripts, so I think this would be a >> good feature for repoze.who. I've not used repoze.who so far, so lets >> see how I get on. If anyone would like to lend a hand, just let me >> know. > > Is it correct to assume that if both the form where users originally > provide their desired password and the login form both use your > script, then nothing needs to be done on the server-side?
I think the server has to be configured to store the passwords generated from the JS hash library "in the clear", and to use the "clear_check" checker (re-hashing is not useful). Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKCVxY+gerLs4ltQ4RAkfjAJwOX6pohN1Qwf9phBd6HEMAXYxBrgCg0QhL 5+CeR5dA2N8cUHUeex7roWM= =J5K3 -----END PGP SIGNATURE----- _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
