sdiaz
commented
11 years ago This is an issue of WSSE and Symfony, as you may deactivate the SALT on password storage. Without the salt you cannot create a Token on client side.
Open babour opened 11 years ago
sdiaz
commented
11 years ago This is an issue of WSSE and Symfony, as you may deactivate the SALT on password storage. Without the salt you cannot create a Token on client side.
babour
commented
11 years ago This is a major issue, how can you secure the login with any salt or encryption?
sdiaz
commented
11 years ago You can secure and remove the salt from symfony2. When you exchange the WSSE token, the password is passed hardly encrypted in the generated token, so the salt is not necessary as a common base64 http request.
babour
commented
11 years ago I am not sure to undersant, could you be more specific?
If you remove the salt and let the encryption it should work? Is there something else to change to make it work?
If I let the salt and the encryption, then what happen?
bassim
commented
11 years ago I'm also anxious to hear a more specific elaboration on this issue!
sdiaz
commented
9 years ago In real projects using WSSE, what I do is to return the user object on POST user create, so the client app get the Salt. The other thing is to retrieve the salt from a single service (/user/
There is also a service that generate a token based on a username/password.
The project right now (after the sf2.6 update) will check the salt and use strong encryption for passwords.
sdiaz
commented
9 years ago You can also check how it's done in OROPlatform, they use an additional token to use instead of passwd/Salt combination in the firewall
Hi,
I just looked around and I saw that the UserInterface of FOSUserBundle must be in plaintext. How does it impact the security if we do that and also use the regular login method (i.e using the form)?
Thanks,