Open shaneshifflett opened 13 years ago
shaneshifflett
commented
13 years ago http://docs.djangoproject.com/en/dev/topics/auth/#passwords
we're using sha1 hashing by default but I'm not seeing any method to compare a hashed pw with what is stored in the db without rolling our own function
shaneshifflett
commented
13 years ago http://stackoverflow.com/questions/2118847/does-ssl-also-encypt-ajax-posts
To go full on SSL or roll our own authentication method (better option, I think)
shaneshifflett
commented
13 years ago shaneshifflett
commented
13 years ago shaneshifflett
commented
13 years ago shaneshifflett
commented
13 years ago Don't need to buy a cert:
shaneshifflett
commented
13 years ago Will need to get the ticket if we want to avoid Firefox exceptions on first visit
shaneshifflett
commented
13 years ago Steps to setting up SSL
1.) In webfaction control panel, go to Websites->[Site hosting the app]->EDIT
2.) Check the SSL box and save
3.) In webfaction control panel, go to Applications->add new
4.) Create a static/CGI/PHP application (I named this one testing1_https_fwd)
5.) SSH into the webfaction server/webapps/
RewriteEngine on RewriteCond %{HTTP:X-Forwarded-SSL} !on RewriteCond %{REQUEST_URI} ^ RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
7.) In webfaction control panel, go to websites->add new 8.) create a new site to host the newly created app, I called this one testing1_https_redir
Used documentation on [webfaction community site |http://community.webfaction.com/questions/875/the-recommended-way-for-securing-django-admin-with-sslhttps] and [webfaction docs|http://docs.webfaction.com/software/static.html#redirect-a-domain-with-a-static-cgi-php-app]
Passwords are still sent in plain text but it's up to HTTPS to make the wire safe. No attackers should be able to intercept...
shaneshifflett
commented
13 years ago One thing I noticed is that with HTTPS on production, production.medill2010.webfactional.com is the only URL that works with the forwarding script... reverting until I can figure out why
shaneshifflett
commented
13 years ago Yep you're right! I didn't bother signing testing because only devs should see the site and they should know whats up. Currently, sourcerer.us has a signed cert (though there is some non-https content from flickr).
Currently, the handleUserSignInForm() in functions.js does not encrypt the password before sending the payload to the server.
I believe Django automatically hashes the passwords once a User is created but I need to dig into this. We can use SSL or try and use the same hash that Django uses on the client side.