Search Results

Search found 5 results on 1 pages for 'mrwooster'.

Page 1/1 | 1 

• How to implement a no-login authentication system

  - by mrwooster

  I am looking to build a very loose authentication system that can track a user and link submitted data/comments to a specific user. The submissions are essentially anonymous, but a user may want to edit his submission/comment at a later date. I want the experience to be as smooth as possible so do not want to ask users to sign up for an account and then login each time. There is no point as their submissions are not in their name and to another user browsing the site, there is no way of linking a submission to a specific user (think anonymous comments on a blog post or pastie). However, the user should have the ability to edit (at least in the short term) the content they have posted. The way I imagine doing this would be to place a unique identifier in a cookie on the users machine. This would enable me to link a submission to a user, and while that cookie remained on the users machine, I would allow them to edit their content. Of course, if the cookie is lost, or the user accesses the site from a different browser, then they would not be able to edit their content, but this is not really an issue, they can always resubmit a new piece of content. Is there a better way of doing this? How can I implement this so that the user can edit their data for the longest possible amount of time.

  Read the article

• Using a random string to authenticate HMAC?

  - by mrwooster

  I am designing a simple webservice and want to use HMAC for authentication to the service. For the purpose of this question we have: a web service at example.com a secret key shared between a user and the server [K] a consumer ID which is known to the user and the server (but is not necessarily secret) [D] a message which we wish to send to the server [M] The standard HMAC implementation would involve using the secret key [K] and the message [M] to create the hash [H], but I am running into issues with this. The message [M] can be quite long and tends to be read from a file. I have found its very difficult to produce a correct hash consistently across multiple operating systems and programming languages because of hidden characters which make it into various file formats. This is of course bad implementation on the client side (100%), but I would like this webservice to be easily accessible and not have trouble with different file formats. I was thinking of an alternative, which would allow the use a short (5-10 char) random string [R] rather than the message for autentication, e.g. H = HMAC(K,R) The user then passes the random string to the server and the server checks the HMAC server side (using random string + shared secret). As far as I can see, this produces the following issues: There is no message integrity - this is ok message integrity is not important for this service A user could re-use the hash with a different message - I can see 2 ways around this Combine the random string with a timestamp so the hash is only valid for a set period of time Only allow each random string to be used once Since the client is in control of the random string, it is easier to look for collisions I should point out that the principle reason for authentication is to implement rate limiting on the API service. There is zero need for message integrity, and its not a big deal if someone can forge a single request (but it is if they can forge a very large number very quickly). I know that the correct answer is to make sure the message [M] is the same on all platforms/languages before hashing it. But, taking that out of the equation, is the above proposal an acceptable 2nd best?

  Read the article

• Problems building nodejs on MacOS Snow Leopard

  - by mrwooster

  I am having trouble building nodejs on MacOS Snow Leopard. I think it might have something to do with my PATH variable not being set correctly for the developer tools location. For some reason, the Developer tools (gcc, g++, make etc) are all stored in /Developer/usr/bin I added it to my PATH variable as follows: $ export PATH=$PATH:/Developer/usr/bin $ echo $PATH /opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/git/bin:/usr/X11/bin:/Developer/usr/bin When i try to configure it complains about not finding open-ssl, ok, not a big problem. So I try with --without-ssl : $ ./configure --without-ssl Checking for program g++ or c++ : /Developer/usr/bin/g++ Checking for program cpp : /Developer/usr/bin/cpp Checking for program ar : /usr/bin/ar Checking for program ranlib : /Developer/usr/bin/ranlib Checking for g++ : ok Checking for program gcc or cc : /Developer/usr/bin/gcc Checking for gcc : ok Checking for library dl : yes Checking for library util : yes Checking for library rt : not found --- libeio --- Checking for library pthread : yes Checking for function pthread_create : not found /Users/Guy/git_src/node/node/deps/libeio/wscript:13: error: the configuration failed (see '/Users/Guy/git_src/node/node/build/config.log') Anyone know how I can get round this? I am suspicious that it might be something to do with the PATH or another ENV variable, but not sure. Thanks G

  Read the article

• Best solution top keep data secure

  - by mrwooster

  What is the simplest and most elegant way of storing a small amount of data in a reasonably secure way? I am not looking for ridiculous levels of advanced encryption (AES-256 is more than enough) and I am only looking to encrypt a small number of files. The files I wish to encrypt are mostly comprised of password lists and SSH keys for servers. Unfortunately it is impossible to keep track of ever changing passwords for my servers (and SSH keys) and so need to keep a list of the passwords. Obviously this list needs to be secure, and also portable (I work from multiple locations). At the moment, I use a 10MB encrypted disk image on my mac (std .dmg AES-256) and just mount it whenever I need access to the data. To my knowledge this is very secure and I am very happy using it. However, the data is not very portable. I would like to be able to access my data from other machines (especially ones running linux), and I am aware that there are quite a few issues trying to mount an encrypted .dmg on linux. An alternative I have considered is to create a tar archive containing the files and use gpg --symmetric to encrypt it, but this is not a very elegant solution as it requires gpg to be installed on every system. So, what over solutions exist, and which ones would you consider to be the most elegant? Ty

  Read the article

• Setting up a reverse proxy [on hold]

  - by mrwooster

  I am looking for the best solution for setting up a very low maintenance reverse proxy for a production website (example.com). The setup is as follows: A blog with will be hosted on heroku, and will reside at example.com/blog A static info page which will be hosted on S3 and will reside at example.com/signup A dynamic content management system, provided and hosted by an external vendor which will respond to requests for any other pages. The two solutions which come to mind are: Use HAProxy Ask the external vendor to reverse proxy requests for /blog and /signup The obvious solution would be to use HAProxy, but, if at all possible, I would like to avoid having to setup and maintain another server (especially such a critical one). I came across a company called Snapt which offers hosted HAProxy solutions, but its more geared towards load-balancing than reverse proxying. Option 2 is a possibility, but gives us very little control over changes and configuration. I see a lot of sites hosting blogs on /blog so this must be fairly common practice, am I missing an obvious solution?

  Read the article

1