Dear Jonathan,
Thanks for the reply. You said "... shouldn't be necessary to use the same
(or no) salt on different installations for passwords to work correctly ..."
That set me to make an experimental app, to test the passwords, pwt.
Here are my notes from that experiment which compares pwt with
myORIGappNotReally.
Password test app, pwt/myORIGappNotReally experiment notes:
1. create pwt app via webfaction-web2py browser New simple application
create
2. register users normally
a. register as Joe D j...@joe.com pw123joeXX
b. register as Sam E s...@sam.com pw456samYY
c. register as Lil F l...@lil.com pw789lilZZ
d. inspect db_auth_user.csv
auth_user.id,auth_user.first_name,auth_user.last_name,auth_user.
email,auth_user.password,auth_user.registration_key,auth_user.
reset_password_key,auth_user.registration_id
1,Joe,D,j...@joe.com,
"pbkdf2(1000,20,sha512)$9754737b2a4d5e86$ef746e588dd237c84ec323d4bc6af40c61a5a014"
,,,
2,Sam,E,s...@sam.com,
"pbkdf2(1000,20,sha512)$ab52efd4dba487d1$26a994230c6b67577dbc5b6f8bec0f31f6130612"
,,,
3,Lil,F,l...@lil.com,
"pbkdf2(1000,20,sha512)$9a0141a307768863$9e7cc89a462c75145aa195afbb50f4b53b5fa9c2"
,,,
3. make registration needs approval = True
in db.py
was: auth.settings.registration_requires_approval = False
now: auth.settings.registration_requires_approval = True
4. make default.py->index: @auth.requires_login()
5. test all users on webfaction for index
RESULT all 3
-are challenged to login at index
-access index after login OK
6. set global so the app needs https
in default.py-><at top> add
# forces https (this can be done at the function level as well see
mdipierro's response
#
http://groups.google.com/group/web2py/browse_thread/thread/834380971cbbf93/b8ff37a450588fba
session.secure()
7. test pwt app all users on webfaction for index
RESULT all 3
-SECURELY: when accessed via https/opera
-are challenged to login at index
-access index after login OK
-NOTSECURELY: when accessed via http/opera
-are challenged to login at index
-all are NOT granted access
i.e. **returned to login WITHOUT comment [maybe a headshake
]**
8. test myORIGappNotReally on localWindows NOTSECURELY i.e. VIA http/opera
http:
//127.0.0.1:8000/myORIGappNotReally/default/user/login?_next=/myORIGappNotReally/default/index
RESULT 3 of the original users
-are challenged to login at index
-all are NOT granted access
i.e. **returned to login WITHOUT comment [no noticable
headshake]**
9. test myORIGappNotReally on localWindows SECURELY i.e. VIA https/opera
Secure connection: fatal error (47)
https://127.0.0.1:8000/myORIGappNotReally/default/user/login?_next=/myORIGappNotReally/default/index
Transmission failure.
Check that the address is spelled correctly, or try searching forthe
site
.
10. test myORIGappNotReally on localUbuntu SECURELY i.e. VIA https/
firefox
https:
//127.0.0.1:8000/myORIGappNotReally/default/user/login?_next=/myORIGappNotReally/default/index
Secure Connection Failed
An error occurred during a connection to 127.0.0.1:8000.
SSL received a record that exceeded the maximum permissible
length.
(Error code: ssl_error_rx_record_too_long)
The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem
. Alternatively, use the command found in the help menu to report thisbroken
site
.
11. **on myORIGappNotReally on localWindows**
in default.py-><at top> **comment out**
# forces https (this can be done at the function level as well
see mdipierro's response
#
http://groups.google.com/group/web2py/browse_thread/thread/834380971cbbf93/b8ff37a450588fba
session.secure()
12. test myORIGappNotReally on localWindows NOTSECURELY i.e. VIA http/opera
http:
//127.0.0.1:8000/myORIGappNotReally/default/user/login?_next=/myORIGappNotReally/default/index
RESULT 3 of the original users
-are challenged to login at index
-**access index after login OK**
*Conclusion*:
The myORIGappNotReally app was fine on the localWindows machine.
The problem was caused by insecurely accesing an app that had
"session.secure()" set.
*Suggestion*:
Perhaps a flash notice could be added to the session.secure()
implementation
to say that this app requires a secure connection. I think i
remember
seeing one in the past but it wasn't showing up now.
Thanks for the help to you, Jonathan, and Massimo and Niphlod.
Love and peace,
Joe
*P.S. This is NOT part of the tech discussion but my spiritual testimony.
Please do NOT read on if that will bother you.*
It is my grateful testimony that I was awakened at 5.00am this morning by
the Holy Spirit who usually sends me her messages at that time. I heard a
whisper reminding me about the global setting requiring https connection. I
am grateful to her.
On Wednesday, December 12, 2012 12:25:28 PM UTC-8, Jonathan Lundell wrote:
>
> On 12 Dec 2012, at 11:31 AM, JoeCodeswell <joecod...@gmail.com<javascript:>>
> wrote:
> > Thanks, Jonathan. Thanks, Massimo.
> >
> > Web2py is a GREAT community.
>
> Before we close this thread, I'd like to revisit the reason you were
> having trouble in the first place. It shouldn't be necessary to use the
> same (or no) salt on different installations for passwords to work
> correctly (as long as you use the same key).
>
> For example:
>
> In [15]: CRYPT(salt=False)('dummy')[0].__str__()
> Out[15]:
> 'pbkdf2(1000,20,sha512)$$9381f513faf7c848adb9b1d908b62a9391dc2db8'
>
> In [16]:
> CRYPT(salt=True)('dummy')[0].__eq__('pbkdf2(1000,20,sha512)$$9381f513faf7c848adb9b1d908b62a9391dc2db8')
>
>
> Out[16]: True
>
> In [25]:
> CRYPT(salt='anyoldsalt')('dummy')[0].__eq__('pbkdf2(1000,20,sha512)$$9381f513faf7c848adb9b1d908b62a9391dc2db8')
>
>
> Out[25]: True
>
>
> All three CRYPT calls generate different salts and hashes, but the results
> compare equal. Just be sure that you're using the CRYPT object's equality
> test, and not merely comparing the hash strings.
>
> >
> > Thanks, again.
> >
> > Love and peace,
> >
> > Joe
> >
> > On Wednesday, December 12, 2012 10:38:10 AM UTC-8, Jonathan Lundell
> wrote:
> > On 12 Dec 2012, at 10:30 AM, JoeCodeswell <joecod...@gmail.com> wrote:
> >> Dear Massimo and Jonathan,
> >>
> >> In my last post i said "I'm still not sure how to change my app
> instances, however."
> >>
> >> I thought about it a little bit and my guess is that i should add
> >>
> >> db.auth_user.password.requires[0].salt = False
> >>
> >> someplace in db.py. Is that right?
> >>
> >> Thanks for the help.
> >>
> >> Love and peace,
> >
> > Either that or pass salt=False to the CRYPT constructor. Same effect.
> >
> >
>
>
>
--
