From: Gavin C. <ga...@op...> - 2006-09-08 02:02:46
|
On Thu, Sep 07, 2006 at 06:51:25PM -0600, Dieter Simader wrote: > I am going through admin.pl right now and should have it completed fairly > soon. > > It will work a bit differently. The session key is put together from the > login name and the password. This is setup for the cookie, a digest is > written to the user's config file for comparison. There is also a > serverside and browserside timeout. Multiuser access is granted if the > sessions are within the timeout value. All the variables must match or you > get a password prompt. Commandline access works just as before. > > In theory there is no way to guess anything because the cookie is never > known anywhere outside of the browser. It's not stored in readable format. > The raw cookie is compared to a digested version and if the two don't > match you get a password prompt. In addition to the undigested version > I'll add another switch so the cookie can be scrambled. This however will > break multiple logins for the same user because the digest will never > match different browser sessions. > > If anyone has any other ideas, by all means let me know. Dieter, would it be difficult to (as an alternative) to support external authentication i.e. delegate the authentication to apache, and on the SL side just trust the REMOTE_USER environment variable, and bypass the SL authentication if this is set? That would be very nice in terms of using ldap or some kind of single-signon authentication with SL, and would mean the truly paranoid could implement whatever crazy auth scheme they'd like themselves. You'd still need the SL user database for authorization of course. Thanks and regards, Gavin -- Gavin Carr Open Fusion - Open Source Business Solutions [ Linux - Perl - Apache ] http://www.openfusion.com.au - Fashion is a variable, but style is a constant - Programming Perl |