Gossamer Forum
Home : Products : Gossamer Forum : Discussion :

Secure User Authentication Integration

Quote Reply
Secure User Authentication Integration
Hello from down the road in Seattle!

I like the look and feel of the Gossamer Threads forums and am interested in integrating the user database used by the Gossamer Threads forums with other parts of my site. The other parts of the site could use the forum database. Or, the forums could use some non-forum login database. I will also need to authenticate against the user database from a program that's running at a server off-site. I want this all to be done reasonably securely, e.g., say using server and client nonces. Any ideas? One thing I noticed is that the Gossamer Threads forums send the user name and password in clear text from the login page, so hopefully the integration with other parts of the site would eliminate that somehow.
Quote Reply
Re: [AS] Secure User Authentication Integration In reply to
Hi,

If you put your login page under https, that will eliminate sending the form input in clear text.

Have a look at the Auth_Community plugin for an example of how to integrate Gossamer Forum off of a remote database. You can download Community and the plugin from:

http://www.gossamer-threads.com/scripts/community/

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Secure User Authentication Integration In reply to
The Community plugin looks great. I've been looking for something like this for weeks and am hoping that this is what I need! I have downloaded Community and am a bit stuck in the installation process as I am having trouble connecting to my database in the installation (http://www.gossamer-threads.com/...i?post=255815#255815)

(I know that I could use SSL -- but it is easy to mess up the installation of SSL , and using SSL requires spending money and time and increases complexity. It seems reasonable to expect passwords to not be sent in the clear by default.. I was wondering: would it be possible for Gossamer to provide password security by default instead of requiring customers to do something? This might be a nice feature that your competitors don't have. I know I would like it and I bet other people would too.)