Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Chris Travers wrote:
> On 10/1/07, Joshua D. Drake <jd@...> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Chris Travers wrote:
>>> On 10/1/07, Joshua D. Drake <jd@...> wrote:
>>>> -
>>>>
>>>> passwords will not be stored as plain text... they will be an encrypted
>>>> hash. I am not understanding the problem.
>>>
>>> Log in to LedgerSMB with your DB username and password.
>>>
>>> Click on a link.  How does the application know what password to use to
>> log
>>> into the db?
>> You hash and compare?
> 
> 
> 
> Ok, maybe I am not being clear.
> 
> To log in on the next page you need to provide PostgreSQL with a username
> and password.  How do we derive what password we send to PostgreSQL and
> where do we store this (it would have to be stored in the clear somewhere
> since we have to pass it via the DBI connect routine)?

Ahhh o.k. that makes more sense. Let me noodle.