Re: [Slashcode-development] sessions/generatesession

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 25 Jan 2001, Chris Nandor wrote:

> This is the case now, in Slash.  In bender, we use md5 hashing to store the
> password in the cookie.  So the password itself is not there.  Yes, the md5

Oh.  I was thrown off by 
	my $cookie = $uid . '::' . $passwd; 
(Utility:pm line 1129) because I didn't know that $passwd was already hashed.

> hash could be stolen, so someone could copy your cookie and log in as you.
> And yes, this can all be worked around with SSL, which is why bender has
> SSL support, so admins can choose to use https.

A good solution.

> I am not opposed to other methods; the cool thing is that all of this is
> done in Slash::Apache::User, and is invoked in your Apache config.  You can
> write a separate authentication module and plug that in to your Apache
> config instead.  I imagine we will work toward having several different
> authentication modules.

Nifty!  Maybe we'll write one using Apache::Session, it'd actually be good
for one site we're working on, and especially for any site combining slash
with commerce (in an amazon-esque way?), where privacy of regular users is
important and they don't need to use https for everything.

-n