forms

Brad Marsh research4 at snowcrest.net
Thu Nov 21 11:50:13 PST 2002 

David,

It seems to. Here's what I wrote up for my authentication scheme. I'm not
sure if it's my final version, but you get the idea.

:^)

I'm a bit stressed for time right now, but I'll look at it and see.

Cheers,

Brad

************************

Auth Scheme
Person logs in with username "username", password "greatPassword".
 Web page javascript creates MD5 has from password before sending to server.
Only encrypted password is sent, and that only once.
 http://pajhome.org.uk/crypt/md5/

 #security script:
 gets userid, password, projid from EvenStart MySQL database (password is
stored MD5 hashed)
 compares the two encrypted passwords
 script fails if not identical
 creates sessionid using username and date string
 session = string.hashMD5(userid + date.timeString (includeSeconds:true))
 Stores sessionid in
@pta^.adrSiteRootTable^.data.["#staff"].[userid].session (which is a string)
 Sends sessionid to browser in cookie named same as userid
 Fakes staffLogin script into thinking there is a cookie already
 Maybe could check postargs, instead. Think about it.
 Grabs projid using ODBC connector
 stores projid in @pta^.adrSiteRootTable^.data.["#staff"].[userid].projid
(which is a string)
 Return...

Or person hits site with cookie already extant.
 #security script:
 reads cookie
 name of cookie is checked against list of #staff
 @pta^.adrSiteRootTable^.data.["#staff"].[userid]
 content of cookie is checked against existing sessionid
 @pta^.adrSiteRootTable^.data.["#staff"].[userid].session
 Grabs projid using ODBC connector
 stores projid in @pta^.adrSiteRootTable^.data.["#staff"].[userid].projid
(which is a string)
 Return...


************************

----- Original Message -----
From: "David Stodolsky" <david.stodolsky at socialinformatics.org>
To: <Frontier-Users at userland.com>
Sent: Thursday, November 21, 2002 11:24 AM
Subject: Re: forms


>
> On Thursday, November 21, 2002, at 06:28  PM, Brad Marsh wrote:
>
> > Bruce,
> >
> > It worked for me. I've been doing quite a bit of development lately
> > (using
> > both Frontier's ODB and MySQL via ODBC) using POST and GET values.
> >
> > Email me off-list if you'd like...
> >
> I am getting ready to a matchmaking type of project. So far, the show
> stopper has been lack of security in Manila (Mac OS X Server) (I was
> thinking of just using the ODB for initial development.) Does your
> approach solve the security problem?
>
>
> dss
>
> >
> >
> David S. Stodolsky, PhD    PGP: 0x35490763    david.stodolsky at ddf.dk
>

More information about the Frontier-Users mailing list