Alexei Vinidiktov wrote:
> On Mon, Jun 8, 2009 at 11:29 AM, mdipierro<mdipie...@cs.depaul.edu> wrote:
> >
> > Hi Richard,
> >
> > the gmail authentication is not based on open-id (yet). it presents
> > you with a standard login form. It tried to log you in via the normal
> > auth_user table. It it fails, it tried to verify your password using
> > the gmail smtp service. If that works a the auth_user table is created/
> > updated with the md5 hash of your current password.
> >
> > This is designed to be streightforward to setup.
>
> I see one drawback to this approach. If the user is logged in with
> gmail credentials without leaving your site, he/she may be reluctant
> to give them because he/she might be thinking "what if this site is
> phishing for my credentials to gmail?"
>
> What do you think?
>
Not only that its against the IT security rule no 1 to not have the
same passwords on different sites.
And in this case the chain is not stronger than the weakest link.
So it think this a potential security risk even thou its very handy.
/R
> >
> > We will soon have an API like stack overflow does.
> >
>
> That's great to hear!
>
>
>
>
>
> --
> Alexei Vinidiktov
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py Web Framework" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
