Mail Index

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ApacheGallery] Proposal for an admin site

On Fri, Mar 08, 2002 at 03:06:05PM -0500, Paul Vallee wrote:
> Hi Thomas,
> Happy annivesary!
> Thanks for your advice.
> I've changed the software to use Digest::MD5 (very painless, thanks for the
> tip.)
> I don't really understand your suggestion of an additional secret over and
> above the password, and why it improves security. Does the user define it at
> login, like a PIN? And if so, would I track the valid values in a local
> file? I understand how this improves security but if that's what you have in
> mind we might as well do (arbitrary database based?) multi-user
> authentication with expiring sessions, and track the sessionid in the cookie
> and the (database/file) rather than the password. I would prefer to leave
> that for later, unless you feel strongly about it. Let me know if I've
> misunderstood. Right now, the risk is manageable in my opinion, especially
> if the user "logs out", which zeros out the cookie.

I guess there's really not much reason to do it, after all it's only a
gallery and doesn't need to be extremly secure. And since people could
sniff network traffic and find the content of the cookie there anyway..

> I have studied the documentation for CGI::FastTemplate at
> and I'm afraid I don't understand your suggestion of using it to avoid
> hard-coding the form. I am already using CGI to dynamically generate the
> form and CGI::FastTemplate to set a template variable for display. Perhaps
> you could help me to understand better what you have in mind? Even better,
> if it's not too arduous, by all means just fix it in my code if you like. I
> certainly wouldn't consider it meddling! ;-)

The only reason I thought it might be good doing it with CGI::FastTemplate
is that we already have the layout in templates. It would mean that the 
other Thomas would be able to change the look of the forms too (if he

> Please find the new (using Digest::MD5) and the new diff
> attached.

  Thomas Eibner <> DnsZone <>
  mod_pointer <> <>
  !(C)<>                  <>
          Putting the HEST in .COM <>

Apache::Gallery users mailinglist.
To unsubscribe, e-mail: [email protected]