On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote:
>
> On 10/3/07, Ashley J Gittins <[EMAIL PROTECTED]> wrote:
> >
> > As I understand it (and I am pretty likely to get this wrong so feel
> > free to
> > point that out) the only reason we have to send the user/pass on every
> > http
> > request is
On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote:
>
> On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote:
> >
> > Perhaps more effort needs to made with the LSMB installer. I still am
> > > not running it because it does not install on a standard ubuntu desktop
> > > box.
> > >
> >
> > Agreed,
On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote:
>
> Perhaps more effort needs to made with the LSMB installer. I still am not
> > running it because it does not install on a standard ubuntu desktop box.
>
> Agreed, at least as far as Windows goes. But consider Ubuntu. Do you
> *really* want
On 10/3/07, Ashley J Gittins <[EMAIL PROTECTED]> wrote:
>
> As I understand it (and I am pretty likely to get this wrong so feel free
> to
> point that out) the only reason we have to send the user/pass on every
> http
> request is because of the change to using postgresql to authenticate every
> r
On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote:
>
> On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote:
> >
> > I think we should separate the issues of storage and transmission. The
> > password is always stored at some point in browser memory in plain text (for
> > example, when it is enter
On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote:
>
>
>
> On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote:
> >
> > Anyone who thinks a "user" should be able to install LSMB or PostgreSQL
> > is frankly, in a fantasy world.
> >
>
> OK I guess all the users that use ubuntu, the biggest distro
On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote:
>
> I think we should separate the issues of storage and transmission. The
> password is always stored at some point in browser memory in plain text (for
> example, when it is entered). It is always submitted to the server in plain
> text in th
On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote:
>
> Anyone who thinks a "user" should be able to install LSMB or PostgreSQL
> is frankly, in a fantasy world.
>
OK I guess all the users that use ubuntu, the biggest distro in linux, must
all be in a fantasy world. They just click to install t
On 10/2/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Ashley J Gittins wrote:
> > As I understand it (and I am pretty likely to get this wrong so feel
> free to
> > point that out) the only reason we have to send the user/pass on every
> http
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ashley J Gittins wrote:
> As I understand it (and I am pretty likely to get this wrong so feel free to
> point that out) the only reason we have to send the user/pass on every http
> request is because of the change to using postgresql to authenticat
As I understand it (and I am pretty likely to get this wrong so feel free to
point that out) the only reason we have to send the user/pass on every http
request is because of the change to using postgresql to authenticate every
request (ie, server-side, LSMB logs into psql as the actual user), t
On 10/2/07, The Anarcat <[EMAIL PROTECTED]> wrote:
>
> Just to make things clearer, you have a few ways of doing auth:
>
> 1. Client-side based solution (HTTP Auth, cookies, GET...)
> 2. Server-side based solution (sessions)
>
> In those approaches, from what I understand, the username/password is
On 10/2/07, John Locke <[EMAIL PROTECTED]> wrote:
>
>
>
> Chris Travers wrote:
> > In going to native DB accounts, one of the difficulties we have to
> > resolve is how to effectively authenticate serial requests. The major
> > problem has to do with how the password to the database is stored. I
Just to make things clearer, you have a few ways of doing auth:
1. Client-side based solution (HTTP Auth, cookies, GET...)
2. Server-side based solution (sessions)
In those approaches, from what I understand, the username/password is
stored "somewhere" and communicated back to the postgresql se
Chris Travers wrote:
> In going to native DB accounts, one of the difficulties we have to
> resolve is how to effectively authenticate serial requests. The major
> problem has to do with how the password to the database is stored. I
> am going to suggest that we move to using HTTP authenticatio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Travers wrote:
> On 10/2/07, Chris Nighswonger <[EMAIL PROTECTED]> wrote:
>>
>
> Having said this, I think we should be trying to be as secure as possible by
> default. I don't like the idea of blaming users for security issues,
With respect
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Nighswonger wrote:
> On 10/2/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Chris Nighswonger wrote:
>>> On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote:
>>> Maybe hash it in the Java
On 10/2/07, Chris Nighswonger <[EMAIL PROTECTED]> wrote:
>
>
> I had this thought as well, but was not sure whether this was
> considered part of deployment of LedgerSMB rather than coding and
> therefore the responsibility of the installer/admin. In any case ssl
> adds more security to the dataflo
On 10/2/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Chris Nighswonger wrote:
> > On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote:
>
> > Maybe hash it in the Java script (or whatever method you choose),
> > store the hash in a cookie, tran
On 10/2/07, Seneca Cunningham <[EMAIL PROTECTED]> wrote:
> On Tue, Oct 02, 2007 at 07:50:43AM -0400, Chris Nighswonger wrote:
> > On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote:
> > > To log in on the next page you need to provide PostgreSQL with a username
> > > and password. How do we deriv
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Nighswonger wrote:
> On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote:
> Maybe hash it in the Java script (or whatever method you choose),
> store the hash in a cookie, transmit the hash, have the code unhash
> and pass the password to the DB
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris Travers wrote:
> On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Chris Travers wrote:
>>> On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote:
-
passwords will not
On Tue, Oct 02, 2007 at 07:50:43AM -0400, Chris Nighswonger wrote:
> On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote:
> > To log in on the next page you need to provide PostgreSQL with a username
> > and password. How do we derive what password we send to PostgreSQL and
> > where do we store t
On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote:
>
>
> On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > Chris Travers wrote:
> > > On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote:
> > >> -
> > >>
> > >> passwords will not
On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote:
> In going to native DB accounts, one of the difficulties we have to resolve
> is how to effectively authenticate serial requests. The major problem has
> to do with how the password to the database is stored. I am going to
> suggest that we mo
25 matches
Mail list logo
