[kune-devel] [kune issues] #131: Secure register/sign in and autologin

kune issues noreply at ourproject.org
Wed Sep 28 19:36:45 CEST 2011

#131: Secure register/sign in and autologin
  Reporter:  vjrj         |      Owner:  vjrj
      Type:  enhancement  |     Status:  new
  Priority:  major        |  Milestone:
 Component:  Common       |    Version:
Resolution:               |   Keywords:
Blocked By:               |   Blocking:
 The goal:
 - Register accounts
 - Sign in with user/pass
 - and auto login with a cookie for some days
 in both Kune+Wave+XMPP

 Also we have to permit xmpp auth to non kune/emite xmpp clients.

 The current status:
 Kune/WIAB register users with digest SHA-512 + salt
      auth plaintext user + pass (see WaveClientSimpleAuthenticator). Aka:
 We should use https
 Autologin is done via a hash in a cookie.

 A proposed non secure solution (server specific) is to implement a custom:
 and for autologin, try to auth to xmpp with user+cookie-hash as a second
 option using:

 This permits normal xmpp use (with external and emite client) and
 autologin for xmpp also in kune.

 Problem: we need to store plain passwords (even with a SASL client I
 think). See:
 This is not secure: "But hey, management wants encrypted passwords in the
 database, management gets encrypted passwords in the database. :-)"

 TODO: study a way to make a compatible secure plain+digest AuthProvider
 compatible with our SHA-512 stored pass...

 Work in progress

Ticket URL: <http://kune.ourproject.org/issues/ticket/131>
kune issues <http://kune.ourproject.org/issues/>

More information about the kune-devel mailing list