[TYPO3-project-4-3] Salted Passwords in Combination with RSAauth

Ingmar Schlecht ingmar at typo3.org
Mon Jun 15 11:42:33 CEST 2009


Hi Steffen,

Steffen Ritter wrote:
> The service stuff is supposed to act like: if one failed go to the next
> one.. With your -1 you disable all following services... This is against
> the principle, and i want to use a service after yours, there's no other
> possibility.

The -1 is very important there, because it prevents the old
superchallenged login mechanism from working. It is important to prevent
superchallenged from working, because otherwise people could still
submit the plain old MD5 they got from an SQL injection out of the
database and are logged in. Since RSA is there to prevent the
possibility of logging in with only the MD5 from the database, it is
important that it returns -1 there.

However, if you considered that scenario and make sure this would never
be possible, returning something else than the -1 could be considered.

cheers
Ingmar


More information about the TYPO3-project-4-3 mailing list