[Seaside] Proper password hashing

Philippe Marschall philippe.marschall at gmail.com
Mon Apr 11 15:24:02 UTC 2011


2011/4/10 Peter Kwangjun Suk <peter.kwangjun.suk at gmail.com>:
> I have a question about login forms like this:
>
>   (html form)
>       defaultAction: [self confirmLogin];
>       with:
>            [(html heading)
>                level3;
>                with: 'Welcome to my site'.
>            html bold: 'Enter login name:'.
>            (html textInput)
>                withValue: '';
>                callback: [:v | self login: v].
>            html bold: 'Enter password:'.
>            (html passwordInput)
>                callback: [:c | self password: ((SHA2 hash: c)
> asHexString asLowercase) ].
>            (html submitButton)
>                text: 'Login!'].
>
> Isn't it the case that the password will be sent in plaintext up to
> the server, and only then will be hashed?  Wouldn't one have to write
> Javascript to hash the password client-side, stuff it into a hidden
> form field, clear out the password field, and have >that< request sent
> up to the server?  (Right now, I'd rather do that than put up an SSL
> server.)

You should use a salt, probably the login in this case (doesn't
address the sniffing).

Cheers
Philippe


More information about the seaside mailing list