httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: Password caching (was: svn commit: r1427548)
Date Sat, 05 Jan 2013 09:52:56 GMT


----- Original Message -----
> On Wednesday 02 January 2013, Eric Covener wrote:
> > On Wed, Jan 2, 2013 at 4:02 PM, Stefan Fritsch <sf@sfritsch.de>
> wrote:
> > > On Wednesday 02 January 2013, Jim Jagielski wrote:
> > >> For *real* improvement, wouldn't storing in socache be
> > >> the optimal method?
> > > 
> > > Yes. I fear there may be some knee-jerk reaction like "oh my god,
> > > they are keeping all the passwords in plain-text". But if it
> > > would be limited to the shmcb socache provider, and if the
> > > passwords would be cleared after some time of not being used, I
> > > don't see any real security problems. Any other opinions?
> > 
> > For authentication, can you already opt-in to effectively this with
> > the mod_authn_socache?
> 
> No, mod_authn_socache only caches the lookup of the password hash. It
> avoids having to open the password file/dbm/whatever but it still
> calls apr_password_validate() every time. Maybe it should be extended
> to also cache the real password and the result of
> apr_password_validate()?
> 

Stupid question time:
Why can't we store the password *hash* in the socache instead of
the plain-text password?

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE


Mime
View raw message