[development] Re: [drupal-devel] Securing Login: MD5 password hashing using javascript

Darrel O'Pry dopry at thing.net
Wed Nov 9 17:42:56 UTC 2005

On Wed, 2005-11-09 at 10:29 -0500, Khalid B wrote:
> Ber I agree with you that Javascript is not a solution. It gives a
> false sense of security and exposes the stored md5 hash of the
> password.
> I also agree with you that SSL is the ultimate solution if one really
> needs security.
> However, I think that SSL in Drupal is an All Or None approach. Either
> the entire site is SSL, or not SSL. There is no way at present where
> only the login is https, and the rest is http.
> If this is addressed, then the whole argument for these half baked
> solutions goes away: need security? Get SSL for login. Period.

Well here you go... its a bit of a kludge, but works.
patched url() and l() to have an ssl flag...

Minor touch ups to user.module.

Sry this is against 4.6.3... I haven't started playing with the
formsapi, or head yet...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: common.ssl.patch
Type: text/x-patch
Size: 1685 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/development/attachments/20051109/802fed24/common.ssl.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: user.module.ssl.patch
Type: text/x-patch
Size: 2767 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/development/attachments/20051109/802fed24/user.module.ssl.bin

More information about the development mailing list