1388203 - Reuse HTTP authentication for login-PATCH_V2
black.myst at free.fr
Thu Dec 21 23:21:54 CET 2006
Brennan Stehling a écrit :
> I suppose you could make this a layered approach where you use the HTTP
> authentication to control access and get the username. But then you save
> the password for that user as a preference.
Yes, I could. But to do this, I need to save the password in database
and I don't want to do this for security reason. On my system, passwords
were hashed in /etc/shadow and I want no see it somewhere else.
Currently, I know that password is in session, so in the database... But
I will fix this problem the next week. With Http_Authent, I don't need
to set the password in session.
> Another option is to use InfoCards. Here is a very interesting use of it.
> That is a PHP blog (Wordpress) but it allows InfoCard for logging into the > system. There is an extension for FireFox and Safari. There is a
> feature for Windows called Cardspace which is included in Vista and MSIE 7.
> An InfoCard can securely hold the IMAP username and password.
Maybe. But currently, nobody needs this feature :-)
> On Thu, 21 Dec 2006 22:18:59 +0100, "Black.myst" <black.myst at free.fr> wrote:
>> Brennan Stehling a écrit :
>>> This looks very useful. Does it also work with Digest Authenticat?
>> I didn't know Digest Authentication... But Google is my friend :
>> - http://www.peej.co.uk/projects/phphttpdigest.html
>> - http://en.wikipedia.org/wiki/Digest_access_authentication
>> I don't understand all the code (link #1), but there are no moment where
>> the password is known by PHP code. With only a hashed-password, we can't
>> log to IMAP or SMTP server.
>> RoundCube don't need to authenticate user, RoundCube need
>> user/password to connect to IMAP and SMTP server.
>> Currently, I don't see how to get user/password with Digest Authenticate
>> and I'm not sure that it's possible...
>> If you have an idea to get password, I will try to implement it.
>> Note :
>> Currently, I use a new boolean config 'http_authent', but it would be
>> perhaps preferable to choose something of more open like:
>> $rcmail_config['autologin'] = none / http_authent / ...
>> or $rcmail_config['logintype'] = login_page / http_authent / ...
>> It is more extensible.
>> What think about it?
>> Black Myst.
More information about the Dev