I have a strange situation and I know virtually nothing about
cryptography. I am passing a key to my auth password requires
statement after the recent discussion on security strength like so:
if "login" in request.args:
t.password.requires = [CRYPT(key='mykey')]
else:
t.password.requires = [IS_STRONG(upper=1,number=1,special=1),CRYPT
(key='mykey')]
Here's the weird part: I have a dev server and a production server
that are both running web2py and pointed to the same MySQL database.
If I reset a user password from the dev server (retrieve_password), I
can only log in from the dev server after that. The same is true for
the production machine. Resetting from the production server reverses
the situation.
I have stepped through the code and verified that at line 779 in
tools.py user[passfield] is indeed different than form.vars.get
(passfield, '') (both look like valid password hashes) so user = None,
and thus login fails.
All I can figure is that the encryption is bound to the machine that
generated the password hash. I'm using the same version of Python and
web2py. Can someone verify or explain?
As always, thanks for your help.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
