httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Issac Goldstand <>
Subject Re: Password caching
Date Sun, 06 Jan 2013 07:42:01 GMT
On 05/01/2013 11:52, Igor Galić wrote:
> ----- Original Message -----
>> On Wednesday 02 January 2013, Eric Covener wrote:
>>> On Wed, Jan 2, 2013 at 4:02 PM, Stefan Fritsch <>
>> wrote:
>>>> On Wednesday 02 January 2013, Jim Jagielski wrote:
>>>>> For *real* improvement, wouldn't storing in socache be
>>>>> the optimal method?
>>>> Yes. I fear there may be some knee-jerk reaction like "oh my god,
>>>> they are keeping all the passwords in plain-text". But if it
>>>> would be limited to the shmcb socache provider, and if the
>>>> passwords would be cleared after some time of not being used, I
>>>> don't see any real security problems. Any other opinions?
>>> For authentication, can you already opt-in to effectively this with
>>> the mod_authn_socache?
>> No, mod_authn_socache only caches the lookup of the password hash. It
>> avoids having to open the password file/dbm/whatever but it still
>> calls apr_password_validate() every time. Maybe it should be extended
>> to also cache the real password and the result of
>> apr_password_validate()?
> Stupid question time:
> Why can't we store the password *hash* in the socache instead of
> the plain-text password?
> i

Igor, that is exactly what Stefan is says already happens with 
mod_authn_socache, unless I grossly misread...

I'd be +1 allowing for a directive to hash the plaintext in socache, if 
it wasn't the default.  I'd probably be +0 to it being the default, but 
only because I don't see myself as having tuits to look closely enough 
at shmcb cache to really understand the security implications for 
myself; but if the sysadmin is already opt-ing in for any sort of 
authentication caching, then (s)he already is aware of a hypothetical 
chance for a security compromise on the system to some degree or another.


View raw message