[Seaside] Proper password hashing
Peter Kwangjun Suk
peter.kwangjun.suk at gmail.com
Sun Apr 10 19:19:59 UTC 2011
I have a question about login forms like this:
defaultAction: [self confirmLogin];
with: 'Welcome to my site'.
html bold: 'Enter login name:'.
callback: [:v | self login: v].
html bold: 'Enter password:'.
callback: [:c | self password: ((SHA2 hash: c)
asHexString asLowercase) ].
Isn't it the case that the password will be sent in plaintext up to
the server, and only then will be hashed? Wouldn't one have to write
form field, clear out the password field, and have >that< request sent
up to the server? (Right now, I'd rather do that than put up an SSL
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
More information about the seaside