Hiall,
I would be very interested in your opinions on the ModelSecurity
plugin by Bruce P…
http://perens.com/FreeSoftware/ModelSecurity/Tutorial.html
Some time ago, I read on a few pages that it is the way to go, on this
list however, I didn’t read much about it. Apart from it’s security
level,
quoted from comments in source code:
FIX: At the moment we only support Basic authentication. It’s
prone to sniffing. Change to Digest authentication.
I am at the moment struggling with the fact that it stores the
complete User object in the session data. While this is generally a no
good idea, it’s a real problem for me, as I have to deactivate and
reactivate user accounts in my app. I don’t think session expiry
handling will be enough here … I tried changing the code so that it
only stores the user_id and user_name in the session, however I didn’t
get this to work so far …
Any tips? Better authentication libs?
cheers
Martin
ModelSecurity hasn’t been updated since November and doesn’t seem to be
actively maintained. Bruce P. is a busy guy.
It has a nice API, but I ended up switching to something under active
development that used migrations for its database table creation.
Martin G. wrote:
Hiall,
I would be very interested in your opinions on the ModelSecurity
plugin by Bruce P…
http://perens.com/FreeSoftware/ModelSecurity/Tutorial.html
Some time ago, I read on a few pages that it is the way to go, on this
list however, I didn’t read much about it. Apart from it’s security
level,
quoted from comments in source code:
FIX: At the moment we only support Basic authentication. It’s
prone to sniffing. Change to Digest authentication.
I am at the moment struggling with the fact that it stores the
complete User object in the session data. While this is generally a no
good idea, it’s a real problem for me, as I have to deactivate and
reactivate user accounts in my app. I don’t think session expiry
handling will be enough here … I tried changing the code so that it
only stores the user_id and user_name in the session, however I didn’t
get this to work so far …
Any tips? Better authentication libs?
cheers
Martin