Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On Tue, Oct 02, 2007 at 09:10:40PM -0700, Chris Travers wrote: > Client-side MD5 of passwords is almost always seriously wrong. In fact I > cannot think of a case where this would be acceptable. Such a system would > be vulnerable to replay attacks at the very least. See Seneca's post above > as

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On Tue, Oct 02, 2007 at 12:53:37PM -0700, Chris Travers wrote: [...] > I think we should separate the issues of storage and transmission. The > password is always stored at some point in browser memory in plain text (for > example, when it is entered). It is always submitted to the server in pla

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Travers wrote: > On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > Apache/PostgreSQL authentication can still be done via any auth method. SSL > would be nice for this leg but it is not where the issue is (which is > between the browser

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > > > > We are making this far more complicated that it needs to be. Let's just > make it so ssl is part of the ledgersmb requirements and include the > docs to handle that. We can even include a simple wizard that will > create the postgresql

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Chris Travers wrote: > > On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote: > >> On 10/3/07, Ashley J Gittins <[EMAIL PROTECTED]> wrote: > >>> As I understand it (and I am pretty likely to

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Travers wrote: > On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote: >> On 10/3/07, Ashley J Gittins <[EMAIL PROTECTED]> wrote: >>> As I understand it (and I am pretty likely to get this wrong so feel >>> free to >>> point that out) the only reas

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Tangye wrote: > On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: >> Anyone who thinks a "user" should be able to install LSMB or PostgreSQL >> is frankly, in a fantasy world. >> > > OK I guess all the users that use ubuntu, the biggest dis

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > > > On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote: > > > > On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > > > > > Perhaps more effort needs to made with the LSMB installer. I still am > > > > not running it because it does not

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Chris Travers wrote: > > > On 10/2/07, *John Locke* <[EMAIL PROTECTED] > > wrote: > > > First off, how can you do http auth using Javascript? > > > One option is to grab the username and password from the form, make > use XMLHttpRequestObject to make a request with