Mail Index


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ApacheGallery] Proposal for an admin site



On Fri, Mar 08, 2002 at 03:06:05PM -0500, Paul Vallee wrote:
> Hi Thomas,
> 
> Happy annivesary!
> 
> Thanks for your advice.
> 
> I've changed the software to use Digest::MD5 (very painless, thanks for the
> tip.)
> 
> I don't really understand your suggestion of an additional secret over and
> above the password, and why it improves security. Does the user define it at
> login, like a PIN? And if so, would I track the valid values in a local
> file? I understand how this improves security but if that's what you have in
> mind we might as well do (arbitrary database based?) multi-user
> authentication with expiring sessions, and track the sessionid in the cookie
> and the (database/file) rather than the password. I would prefer to leave
> that for later, unless you feel strongly about it. Let me know if I've
> misunderstood. Right now, the risk is manageable in my opinion, especially
> if the user "logs out", which zeros out the cookie.

I guess there's really not much reason to do it, after all it's only a
gallery and doesn't need to be extremly secure. And since people could
sniff network traffic and find the content of the cookie there anyway..

> I have studied the documentation for CGI::FastTemplate at
> http://theoryx5.uwinnipeg.ca/CPAN/data/CGI-FastTemplate/FastTemplate.html
> and I'm afraid I don't understand your suggestion of using it to avoid
> hard-coding the form. I am already using CGI to dynamically generate the
> form and CGI::FastTemplate to set a template variable for display. Perhaps
> you could help me to understand better what you have in mind? Even better,
> if it's not too arduous, by all means just fix it in my code if you like. I
> certainly wouldn't consider it meddling! ;-)

The only reason I thought it might be good doing it with CGI::FastTemplate
is that we already have the layout in templates. It would mean that the 
other Thomas would be able to change the look of the forms too (if he
desires).

> Please find the new Gallery.pm (using Digest::MD5) and the new diff
> attached.


-- 
  Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
  mod_pointer <http://stderr.net/mod_pointer> <http://photos.eibner.dk/>
  !(C)<http://copywrong.dk/>                  <http://apachegallery.dk/>
          Putting the HEST in .COM <http://www.hestdesign.com/>

---------------------------------------------------------------------
Apache::Gallery users mailinglist. http://apachegallery.dk/
To unsubscribe, e-mail: [email protected]