Website for storing flight information, rendering paths on a zoomable world map and calculating statistics, with plenty of free airline, airport and route data.
The current authentication scheme has multiple downsides.
Sessions expire too fast and we keep getting issues related to this. It's also just really annoying.
43
571
770
793
875
Distributed across multiple places: Challenges are issued via requests to map.php, password hashing is done client side, and only then can we send a login requests to login.php.
The client side password hashing might be obsolete? I believe all this is in place to avoid transmitting credentials in plaintext in a pre-TLS era. Now that the website is HTTPS-only, is this still required?
@reedy Isn't this something right up your alley? :)
chrisrosset
commented
1 year ago
The current authentication scheme has multiple downsides.
43
571
770
793
875
map.php, password hashing is done client side, and only then can we send a login requests tologin.php.@reedy Isn't this something right up your alley? :)