13
Quote:
_masi wrote:
Hmm, I'm sure there is way to use a "secret" cookie style without changing the internal stored format (ie plain login and hashed password). I'll try and think of a method - it'd be on paper cause I'm off to a vacation soon.
I wish you successful rest!
I here have thought. It is possible to add the third parameter - the control sum. Which sense will be in hashing the line basing on the password of the user + a confidential word. I thought that such word cannot be thought up, since a code of script is open. And has then thought up, that this word should become the password of the administrator (i.e. the user with ID = 1). Thus we receive binding to the password of the administrator as a confidential key. Quite reasonable way of protection. Basically, to break it is possible, but not so it is easy. And it is more probable only individual login, by peeping traffic of the client. The given way will protect system first of all from bruteforce of hashes from the widespread passwords.
Well as? Secure enough?
mmm. Administrator can replace the password! It is necessary to search for other binding. But what?
Quote:
And you don't need to change many things to get something configurable. XOOPS provides a quite advanced configuration system. It uses a general table and an OO-API for access. I'll dig up some info for you how to use it.
For this purpose I was necessary to make changes in SQL. I mean it strong structural changes. Such changes can make impossible successful updating of a XOOPS in future. On this they should be brought extremely by development of the new version (I mean in CVS).
Quote:
Epsylon3 wrote:
uhm, oh yea passw is not stored in cookie, only the md5 hash ?
Yes, so. Now I have made changes to the first message where has specified the given feature separately.
And still I have changed a way of storage of a name of the user in an open kind, for user ID.