Avoid checking credentials with every request

Description

Checking for valid credentials becomes especially expensive with salted and hashed passwords. This should only be done once and after that handled by a session id or something like that.

Environment

None

Activity

Show:
Hannes Ebner
October 15, 2013, 4:01 PM

Added caching with max age of 2 hours; only valid for BasicVerifier (HTTP basic) as other cookie-based authentication schemes should work with tokens instead; to be solved in a different issue.

Hannes Ebner
October 15, 2013, 9:00 AM

HTTP basic requires user/pw with every request, so a token only works with mechanisms such as cookie auth; tokens can also be used with OpenID.

Hannes Ebner
October 15, 2013, 8:57 AM

A super class perhaps, that stores a set of hashes consisting of username + password + salt (installations base URI?) using a fast algorithm, e.g. SHA-1. Not the safest thing to do, but it is perhaps necessary to not expect an attacker having access to the memory of the local machine.

An alternative is to create a token (instead of a hash based on user/pw) that expires after some time.

See also http://stackoverflow.com/questions/18061439/caching-authentication-status-to-improve-performance-of-subsequent-messages.

Fixed

Assignee

Hannes Ebner

Reporter

Hannes Ebner

Labels

None

Fix versions

Priority

Normal