[development] Re: [drupal-devel] Securing Login: MD5 password
hashing using javascript
Darrel O'Pry
dopry at thing.net
Wed Nov 9 17:42:56 UTC 2005
On Wed, 2005-11-09 at 10:29 -0500, Khalid B wrote:
> Ber I agree with you that Javascript is not a solution. It gives a
> false sense of security and exposes the stored md5 hash of the
> password.
>
> I also agree with you that SSL is the ultimate solution if one really
> needs security.
>
> However, I think that SSL in Drupal is an All Or None approach. Either
> the entire site is SSL, or not SSL. There is no way at present where
> only the login is https, and the rest is http.
>
> If this is addressed, then the whole argument for these half baked
> solutions goes away: need security? Get SSL for login. Period.
Well here you go... its a bit of a kludge, but works.
patched url() and l() to have an ssl flag...
Minor touch ups to user.module.
Sry this is against 4.6.3... I haven't started playing with the
formsapi, or head yet...
.darrel.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: common.ssl.patch
Type: text/x-patch
Size: 1685 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/development/attachments/20051109/802fed24/common.ssl.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: user.module.ssl.patch
Type: text/x-patch
Size: 2767 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/development/attachments/20051109/802fed24/user.module.ssl.bin
More information about the development
mailing list