Ooops: Re: [geeklog-devel] Re: A&A AEPasswordGenerator.class.php
Tony Bibbs
tony at tonybibbs.com
Tue Jun 22 13:59:15 EDT 2004
Problem with Outbox with Ximian Evolution. Sorry for the repeated messages.
--Tony
Tony Bibbs wrote:
>On Tue, 2004-06-22 at 10:31, Vincent Furia wrote:
>
>
>>Tony,
>>
>>I rewrote the password generator/validator using regex to give much
>>more flexibility when it comes to creating rules (see attached).
>>Since the generator is creating a random password (can really only be
>>broken brute force) from a decent sized set of characters I didn't
>>think enforcing any rules is really necessary. Especially since A&A
>>should probably force a password change after a password reset upon
>>first login...
>>
>>
>
>Enforcing password rules is more important when the user changes their
>own password. If you look at the changePassword() and
>changePasswordByAdmin() on the AEPearDBProvider you'll notice we verify
>the strength of the password against our configured rules. If you can
>at least agree to that much, I don't think it is a stretch to say we may
>as well enforce the rules on passwords generated by our system.
>
>Use of regex is fine, I personally don't like it because it is hard to
>read and this code probably won't get hammered too much but the
>performance gain is duly noted and I'm flexible.
>
>
>
>>Also, I thought I'd suggest password reset support like Dirk has place
>>into the most recent version of Geeklog. i.e. you send a link that
>>includes a big random value (hash of some kind) and make the user
>>change their password when following the link. The is easy to
>>implement with a built in Auth system, not sure how you would do this
>>(or force a password change) with A&A... Catch me on IRC sometime and
>>we can talk more about it...
>>
>>
>
>The hard part is deciding how much Auth_Enterprise should do versus the
>application. You could very easily implement that at the application
>level. If you notice, right now I don't even have different
>registration methods because I think I'd like to see a good discussion
>by us all on whether or not we should add this. I think the answer is
>yes we should include this stuff but if we do so it will make the
>administration and support more complicated for end users. For now all
>I did was implement the createAccount() method and figured we'd wrap all
>the bells and whistles in after we make some final decisions.
>
>
>
>>Anyway, hope the like the changes I made. The rest of A&A looks
>>pretty good, if a bit of overkill for most people running Geeklog. :)
>>
>>
>>
>
>Just keep in mind that Geeklog 2, from my view point, is less to do with
>the hobbyists and more to do with the attractiveness for businesses and
>organizations. Granted, our current user base is important to us and I
>can't highlight that enough but the days of my writing software with no
>sort of compensation is coming to an end. Obviously this is only my
>personal take and it may come off a bit selfish but GL2 will basically
>end up deciding how involved I stay.
>
>Bottom line is when installing Geeklog 2, Auth_Enterprise should install
>itself seamlessly and with little to no hassle so from that view,
>nothing should change. My plans to support his is we will include the
>Auth_Enterprise table structures into the Geeklog2 database and default
>it to the AEPearDBProvider for all account management. Those who want
>LDAP or some other configuration will simply have more work (albeit
>fairly trivial work).
>
>
>
>>I think it'd be cool if we implemented single sign on. I wasn't sure
>>if you had any ideas how to implement that, again I'd be happy to chat
>>(IRC or voice) with you about it sometime.
>>
>>
>
>Implementing SSO is actually pretty easy. All you would have to do is
>add some session tables to the database and, using PHP sessions, we
>would serialize the AEServiceUser object there. Using SSO would require
>a single login page for all applications so that an SSO token can be
>added to the cookies and then a few new methods to the API for verifying
>SSO tokens. I think for what we are doing, this would be more of a
>version 2 release of Auth_Enterprise.
>
>I'm open to suggestions.
>
>--Tony
>
>_______________________________________________
>geeklog-devel mailing list
>geeklog-devel at lists.geeklog.net
>http://lists.geeklog.net/listinfo/geeklog-devel
>
>
More information about the geeklog-devel
mailing list