Hi, > No need to be arrogant and insult people. "Your reply is line noise"? > "Go to another site to find out why"? That really makes people trust > what you have to say, not.
Sorry for bringing mud to the list, I know it's not the culture here to communicate like that. However, Ross' message was also arrogant and deserved a terse reply. Just like my message deserved a sarcastic response from you. The tit-for-tat will have to stop at some point! Ross, your later message is much more balanced. This is clearly a feature you don't want or need, and that's fair enough, just don't enable it in your apps. I suggest you duck out of further discussion, as some people do want this feature, and we'd like to focus on how to do this, not the limitations, which we're already well aware of. Ben, I was thinking that adding this to AuthKit is the obvious choice. I don't know AuthKit, but I'd imagine having a configuration option "use_js_hash". The main issue is how AuthKit currently stores passwords in the database. Does it have them hashed, with a per-user salt? The challenge there is you need an Ajax request at login to fetch the user's salt. No problem with the salt being public, but you need to take care not to reveal the existence of users. What we really want is to store passwords like this: hmac_sha1(hmac_sha1(server_salt, user_name), password) This gives per-user salts, with no need for an Ajax request at login. The challenge of course is pre-existing applications that don't store like this. BTW, I'm expecting someone's going to jump in and say the ajax request at login prevents non-js users. In fact it doesn't. Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-devel" group. To post to this group, send email to pylons-devel@googlegroups.com To unsubscribe from this group, send email to pylons-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en -~----------~----~----~----~------~----~------~--~---
