[pmwiki-devel] Rethinking ZAP Login

The Editor editor at fast.st
Mon Apr 9 20:25:02 CDT 2007 

Second post on this topic.  A brief recap though...  I'm always
looking for ways to simplify the ZAP login process by combining all
login information on one page.  I need however a way to encode/decode
certain values for security purposes.  I've developed my own simple,
but reasonably secure encoding scheme but not sure how to decode it.
That is, I can write the function, but not sure how to use it?

If I did it as {(decode {$:var})} I might as well not encode it, as
that would be available to about anyone.

If I lock it for admins I can't make it available to users to edit
their own emails, etc.  Though one idea is to make the code only
unlock for admins or if pagename = member name.  Hmmm that's an idea.

I was also thinking of putting some kind of initial identifier on the
values that would trigger ZAP to automatically decode them when
submitted in a form field, or perhaps a decode extension that would
decode any fields listed. Of course that requires more code in the
core engine, and this seems to me to be more of a peripheral
capability...

Basically, I just want to maintain reasonable security of a password
and email address and any other information from prying eyes, while
enabling admins and members to use and even edit them.  Maybe the idea
above is best.  Any input?

Cheers,
Dan

PS.  Here's the initial post...

On 4/8/07, The Editor <editor at fast.st> wrote:
> I'm reconsidering how I handle logins in ZAP to keep all the
> information on one page, rather than a login page and a profiles page.
>
> My original reason for separating them was to put the emails and
> passwords in a read protected group, and then put the more public
> profile information elsewhere.
>
> Now that I have passwords encrypted I have one less concern.  However,
> with emails, I'd like to have a basic encryption/decryption system
> that I could use to obscure these values, and perhaps others. It needs
> to be something simple and something I could unencrypt easily enough.
> Not anything complex. I was thinking about generating my own
> cryptographic pattern, but thought there's got to be something already
> out there...  If it was easy to handle, I could do a simple
> encode/decode function in ZAP and ZAPmarkup based on an admin set
> passcode, and use this for other fields as desired as well.
>
> It would simplify things quite a bit.  I might even use it for passwords
>
> Cheers,
> Dan
>
> My idea:  take an admin defined key word like "secret", then scroll
> through each letter of the field value, and advance it based on the
> position of each letter in the alphabet--the first one 19 for s, 5 for
> e, 3 for c, etc.  To decode, reverse the same pattern.  Anything like
> that available?

More information about the pmwiki-devel mailing list