httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Password caching (was: svn commit: r1427548)
Date Wed, 02 Jan 2013 21:36:00 GMT
On Wednesday 02 January 2013, Eric Covener wrote:
> On Wed, Jan 2, 2013 at 4:02 PM, Stefan Fritsch <sf@sfritsch.de> 
wrote:
> > On Wednesday 02 January 2013, Jim Jagielski wrote:
> >> For *real* improvement, wouldn't storing in socache be
> >> the optimal method?
> > 
> > Yes. I fear there may be some knee-jerk reaction like "oh my god,
> > they are keeping all the passwords in plain-text". But if it
> > would be limited to the shmcb socache provider, and if the
> > passwords would be cleared after some time of not being used, I
> > don't see any real security problems. Any other opinions?
> 
> For authentication, can you already opt-in to effectively this with
> the mod_authn_socache?

No, mod_authn_socache only caches the lookup of the password hash. It 
avoids having to open the password file/dbm/whatever but it still 
calls apr_password_validate() every time. Maybe it should be extended 
to also cache the real password and the result of 
apr_password_validate()?

Mime
View raw message