[Seaside] Proper password hashing
Peter Kwangjun Suk
peter.kwangjun.suk at gmail.com
Sun Apr 10 19:19:59 UTC 2011
I have a question about login forms like this:
(html form)
defaultAction: [self confirmLogin];
with:
[(html heading)
level3;
with: 'Welcome to my site'.
html bold: 'Enter login name:'.
(html textInput)
withValue: '';
callback: [:v | self login: v].
html bold: 'Enter password:'.
(html passwordInput)
callback: [:c | self password: ((SHA2 hash: c)
asHexString asLowercase) ].
(html submitButton)
text: 'Login!'].
Isn't it the case that the password will be sent in plaintext up to
the server, and only then will be hashed? Wouldn't one have to write
Javascript to hash the password client-side, stuff it into a hidden
form field, clear out the password field, and have >that< request sent
up to the server? (Right now, I'd rather do that than put up an SSL
server.)
--Peter
--
There's neither heaven not hell,
save what we grant ourselves.
There's neither fairness nor justice,
save what we grant each other.
More information about the seaside
mailing list