[Mailman-Developers] Hashing member passwords in config.pck
Barry Warsaw
barry at python.org
Sat Feb 12 00:38:43 CET 2005
On Fri, 2005-02-11 at 05:01, Ian Eiloart wrote:
> >> I'm all for the password-less stuff, but then how do you authenticate for
> >> members-only archives? I've got big lists that must be members-only for
> >> the archives.
> >>
> >
> >>> Most of the user operations should be done by confirmation string
> >>> sent by email message.
> >
> > Operations include authentication.
>
> So, to access the private archive I have to wait for an email message?
One way to make this not suck as much is to drop a cookie that lives
longer than the session, after you click-authenticate the first time.
However, this is fairly dangerous if you were to read private archives
from a public machine, which is why cookies all currently expire at the
end of the browser session.
The same situation occurs for accessing the options page, but that is a
much less common operation. Maybe users are willing to wait for an
email round-trip in order to change their options. I tend to think not
though -- they may hitting the web interface from a machine that doesn't
have access to their mail, and then they're screwed.
Integrating with external user storages for authentication should help
out a lot here, but I'm just not seeing how we can totally eliminate
passwords. I'm willing to be convinced though.
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.python.org/pipermail/mailman-developers/attachments/20050211/48ed65f1/attachment.pgp
More information about the Mailman-Developers
mailing list