[ale] User authentication in web app

[Ben Coleman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

George Carless wrote:

| I don't understand.. why return/handle rows that are of no interest to
| you, instead of checking the password within the query?

Suppose two or more users have the same password?  You'll get multiple
rows back from your select, and you'll have to check each of them to see
if they match the user's username.  You do want to make sure the
password entered matches the username entered, don't you?

If you're only checking that the password exists within the database,
you've made the job of someone trying to break into your system a lot
easier.  Instead of having to guess at the password for a particular
user, he only has to guess at a password that any one of your users
might be using.  You *will* have users that choose weak passwords, and
if you're not checking the username, the earstwhile cracker doesn't need
to match the password to the user using it.  For that matter, he doesn't
even need to come up with a valid username.  Just guess at typical weak
passwords and if any of your users have used on, he's in.

Ben
- --
Ben Coleman oloryn at benshome.net      | The attempt to legislatively
http://oloryn.home.mindspring.com/   | micromanage equality results, at
Amateur Radio NJ8J                   | best, in equal misery for all.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows 2000)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAWR+OQBcsLKrSBE8RAot/AJ95eSY4dX4vHbC1n0Ki4bPGbJk0KQCfY5Ca
/ddsVEUR22UYR2YBjiKKXiQ=
=uCwZ
-----END PGP SIGNATURE-----