If you are making a framework for this part then one
thing to consider
is passwords. Most frameworks leave this up to the user, so the user
does the simplest thing they can: they store plain text passwords.
You can tell these sites because when you forget your password and
press the password recovery link they send you your password directly
(ironically,
pgp.com does this too!).
Obviously if the password is stored in plain text, then once your site
is hacked all your user's passwords will be known. This wont make
your users happy. So it would be nice to have some kind of password
object or something that always does some kind of one-way encryption
on the passwords (e.g. using MD5).
It would be nice as well for something to do the whole password
recovery stage as well, since this always works the same: user clicks
a link, gets an email forwarded that points to a secure site where
they can type in a new password, since passwords are not recoverable.
Just something to think about.
Sure! In the interests of minimal configurable components, this bit only
provides the wiring to your supplied plugin.
At present using MySql I am storing the passwords in the db
PASSWORD("blah") format and querying them the same.
However the Cryptography package is capable of generating hash so that
plaintext does not need to be exchanged with the server.
I haven't got to password reminding schemes, or supervised password
resetting yet. I need at least one scheme soon.
thanks for a "requirements statement"
Keith