Need encrypted authentication mechanism #136

Open
shaneshifflett opened this Issue Dec 22, 2010 · 10 comments

Comments

Projects
None yet
1 participant
@shaneshifflett
Collaborator

shaneshifflett commented Dec 22, 2010

Currently, the handleUserSignInForm() in functions.js does not encrypt the password before sending the payload to the server.

I believe Django automatically hashes the passwords once a User is created but I need to dig into this. We can use SSL or try and use the same hash that Django uses on the client side.

@shaneshifflett

This comment has been minimized.

Show comment Hide comment
@shaneshifflett

shaneshifflett Dec 22, 2010

Collaborator

http://docs.djangoproject.com/en/dev/topics/auth/#passwords

we're using sha1 hashing by default but I'm not seeing any method to compare a hashed pw with what is stored in the db without rolling our own function

Collaborator

shaneshifflett commented Dec 22, 2010

http://docs.djangoproject.com/en/dev/topics/auth/#passwords

we're using sha1 hashing by default but I'm not seeing any method to compare a hashed pw with what is stored in the db without rolling our own function

@shaneshifflett

This comment has been minimized.

Show comment Hide comment
@shaneshifflett

shaneshifflett Dec 22, 2010

Collaborator

http://stackoverflow.com/questions/2118847/does-ssl-also-encypt-ajax-posts

To go full on SSL or roll our own authentication method (better option, I think)

Collaborator

shaneshifflett commented Dec 22, 2010

http://stackoverflow.com/questions/2118847/does-ssl-also-encypt-ajax-posts

To go full on SSL or roll our own authentication method (better option, I think)

@shaneshifflett

This comment has been minimized.

Show comment Hide comment
@shaneshifflett

This comment has been minimized.

Show comment Hide comment
@shaneshifflett

shaneshifflett Jan 26, 2011

Collaborator
Collaborator

shaneshifflett commented Jan 26, 2011

@shaneshifflett

This comment has been minimized.

Show comment Hide comment
@shaneshifflett

shaneshifflett Jan 26, 2011

Collaborator

Will need to get the ticket if we want to avoid Firefox exceptions on first visit

Collaborator

shaneshifflett commented Jan 26, 2011

Will need to get the ticket if we want to avoid Firefox exceptions on first visit

@shaneshifflett

This comment has been minimized.

Show comment Hide comment
@shaneshifflett

shaneshifflett Jan 26, 2011

Collaborator

Steps to setting up SSL

1.) In webfaction control panel, go to Websites->[Site hosting the app]->EDIT
2.) Check the SSL box and save
3.) In webfaction control panel, go to Applications->add new
4.) Create a static/CGI/PHP application (I named this one testing1_https_fwd)
5.) SSH into the webfaction server/webapps/ and create a .htaccess file
6.) To forward all HTTP traffic to the HTTPS web site, add the following lines to .htaccess

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{REQUEST_URI} ^
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

7.) In webfaction control panel, go to websites->add new
8.) create a new site to host the newly created app, I called this one testing1_https_redir

Used documentation on [webfaction community site |http://community.webfaction.com/questions/875/the-recommended-way-for-securing-django-admin-with-sslhttps] and [webfaction docs|http://docs.webfaction.com/software/static.html#redirect-a-domain-with-a-static-cgi-php-app]

Passwords are still sent in plain text but it's up to HTTPS to make the wire safe. No attackers should be able to intercept...

Collaborator

shaneshifflett commented Jan 26, 2011

Steps to setting up SSL

1.) In webfaction control panel, go to Websites->[Site hosting the app]->EDIT
2.) Check the SSL box and save
3.) In webfaction control panel, go to Applications->add new
4.) Create a static/CGI/PHP application (I named this one testing1_https_fwd)
5.) SSH into the webfaction server/webapps/ and create a .htaccess file
6.) To forward all HTTP traffic to the HTTPS web site, add the following lines to .htaccess

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{REQUEST_URI} ^
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

7.) In webfaction control panel, go to websites->add new
8.) create a new site to host the newly created app, I called this one testing1_https_redir

Used documentation on [webfaction community site |http://community.webfaction.com/questions/875/the-recommended-way-for-securing-django-admin-with-sslhttps] and [webfaction docs|http://docs.webfaction.com/software/static.html#redirect-a-domain-with-a-static-cgi-php-app]

Passwords are still sent in plain text but it's up to HTTPS to make the wire safe. No attackers should be able to intercept...

@shaneshifflett

This comment has been minimized.

Show comment Hide comment
@shaneshifflett

shaneshifflett Jan 26, 2011

Collaborator

One thing I noticed is that with HTTPS on production, production.medill2010.webfactional.com is the only URL that works with the forwarding script... reverting until I can figure out why

Collaborator

shaneshifflett commented Jan 26, 2011

One thing I noticed is that with HTTPS on production, production.medill2010.webfactional.com is the only URL that works with the forwarding script... reverting until I can figure out why

@shaneshifflett

This comment has been minimized.

Show comment Hide comment
@shaneshifflett

shaneshifflett Feb 9, 2011

Collaborator

Yep you're right! I didn't bother signing testing because only devs should see the site and they should know whats up. Currently, sourcerer.us has a signed cert (though there is some non-https content from flickr).

Collaborator

shaneshifflett commented Feb 9, 2011

Yep you're right! I didn't bother signing testing because only devs should see the site and they should know whats up. Currently, sourcerer.us has a signed cert (though there is some non-https content from flickr).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment