[brickcap]

I have a question...

>Specter takes the elegant/lazy approach of not using sessions at all - access to edit and create pages is entirely via url, and permission to actually perform those changes is granted by including a 'secret' (a password) in the form. It's not the most secure form of defense (I'm not using ssl, so a wireless sniffer could easily determine my password, for example), but its sufficient for a nonprofessional.

Is there something that I can do to make it more secure but still follow the lazy approach. I am asking cause I use heroku which is not secure as well.

[nevinera]

I believe the standard approach is to hash the password in the browser and submit the hash for comparison - then if somebody observes the transaction they will only have gained access to the blog, and not everything with which it shares a password.

On the other side, it is typically better not to store the password on the server either. You could accomplish that by giving a utility to store a hash in a file, but that's a bit heavy I guess.

I meant for a nonprofessional /blogger/, incidentally, not a nonprofessional coder :-)

[nevinera]

It looks like the actual best answer is to use ssl - apparently most apps transmit their password in the clear, and just rely on ssl to keep it from being observed. I'll amend my post.

[brickcap]

Ah thanks for letting me know. I had opened an issue to change my implementation but I guess I will leave it now. Thanks once again.