www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: Centralised authentication/authorisation
Date Mon, 15 Dec 2008 23:38:23 GMT
Tony Stevenson wrote:

> Actually this is *exactly* the kind of behaviour I would expect. I don't 
> see this as lame, at all, I see it is a standard way for 
> browsers/a.n.other client to behave.

I haven't explained myself properly. Spot the flaw in the following flow:

- Enter your old password, and new password twice, click submit.
- Be told access has been denied. Enter your username, and then your new 
password a third time, click submit.

The second step kicks in because the password has changed, but the 
authnz mechanism doesn't know that and reports a sudden unexpected 
authnz failure. The user ends up confused because they are being asked 
to log in again from scratch, when they just entered their new password 
- twice - moments before.

This is one of the key reasons basic authentication is considered so 
user unfriendly, and why every web application out there has reinvented 
login over and over again.

> I'm not sure we will be forced. Or at least I hope not. I am personally 
> against SSO, as I see it is cruft, something that reduces security in 
> this way makes me worry.

Can you explain how it reduces security in more detail?

> Prompting uers for their passwords for each service is not even on my 
> radar, I don't think it is that much of an issue. They have to do it 
> now, so when we introduce LDAP we won't set any expectation as to SSO 
> services, i.e. they will still need to login to each service, but now 
> with the same user/pass combo.  This means they can change their 
> password once, and be done with it.

I am all for making users lives easier. The users are the reason we are 
doing all of this, after all.


View raw message