[kune-commits] [Kune - Feature #131] (Closed) Secure register/sign in and autologin

Redmine Comunes noreply at ourproject.org
Mon Sep 3 16:12:58 CEST 2012

Issue #131 has been updated by Vicente J. Ruiz Jurado.

Status changed from New to Closed
% Done changed from 0 to 100

Feature #131: Secure register/sign in and autologin

* Author: Vicente J. Ruiz Jurado
* Status: Closed
* Priority: High
* Assignee: Vicente J. Ruiz Jurado
* Category: Common
* Target version: 
* Resolution: fixed
The goal:
- Register accounts
- Sign in with user/pass
- and auto login with a cookie for some days
in both Kune+Wave+XMPP

Also we have to permit xmpp auth to non kune/emite xmpp clients.

The current status:
Kune/WIAB register users with digest SHA-512 + salt
     auth plaintext user + pass (see [[WaveClientSimpleAuthenticator]]). Aka: We should use https
Autologin is done via a hash in a cookie.

A proposed non secure solution (server specific) is to implement a custom:
and for autologin, try to auth to xmpp with user+cookie-hash as a second option using:

This permits normal xmpp use (with external and emite client) and autologin for xmpp also in kune.

Problem: we need to store plain passwords (even with a SASL client I think). See:
This is not secure: "But hey, management wants encrypted passwords in the database, management gets encrypted passwords in the database. :-)"

TODO: study a way to make a compatible secure plain+digest [[AuthProvider]] compatible with our SHA-512 stored pass... 

Work in progress

You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://redmine.ourproject.org/my/account

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ourproject.org/pipermail/kune-commits/attachments/20120903/af998431/attachment-0001.htm 

More information about the kune-commits mailing list