[Seaside] Proper password hashing
Philippe Marschall
philippe.marschall at gmail.com
Mon Apr 11 15:24:02 UTC 2011
2011/4/10 Peter Kwangjun Suk <peter.kwangjun.suk at gmail.com>:
> I have a question about login forms like this:
>
> (html form)
> defaultAction: [self confirmLogin];
> with:
> [(html heading)
> level3;
> with: 'Welcome to my site'.
> html bold: 'Enter login name:'.
> (html textInput)
> withValue: '';
> callback: [:v | self login: v].
> html bold: 'Enter password:'.
> (html passwordInput)
> callback: [:c | self password: ((SHA2 hash: c)
> asHexString asLowercase) ].
> (html submitButton)
> text: 'Login!'].
>
> Isn't it the case that the password will be sent in plaintext up to
> the server, and only then will be hashed? Wouldn't one have to write
> Javascript to hash the password client-side, stuff it into a hidden
> form field, clear out the password field, and have >that< request sent
> up to the server? (Right now, I'd rather do that than put up an SSL
> server.)
You should use a salt, probably the login in this case (doesn't
address the sniffing).
Cheers
Philippe
More information about the seaside
mailing list