[TYPO3-v4] Request for comments: Separating password transmission from password comparison
Helmut Hummel
helmut.hummel at typo3.org
Fri Dec 23 19:00:01 CET 2011
Hi Dmitry!
On 23.12.11 14:19, Dmitry Dulepov wrote:
> It is always possible to make it right and compatible.
OK, I'm all for it, because this is what I wanted to achieve and think I
have achieved.
> But I do not object
> any more. In fact, I just removed my -2 and I will not make a single
> negative feedback to anything from now on. Let it be.
I'm all for feedback, even negative one. Please don't stop doing so.
I only ask for constructive feedback so that things can be changed to
the good. I probably missed that in the feedback I got so far, did I?
Until now, every single point you complained about I tried to explain
why I did it this way and why it does not break things.
There is however one thing that is different after my change, but this
adds more clarity and consitency and this is that $this->login['uident']
always contains what has been submitted through the login form.
It's nothing more than 7 lines of code to keep this (inconsistent)
behaviour and to couple the authentication service a bit more to the
t3lib_userauth object.
I doubt it is the case but I really like to hear arguments why keeping
this inconsitency for BC is useful for external services.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-v4
mailing list