Fossil SCM
Initial cut at better explanation regarding username/password authentication.
Commit
62077d3fd4e3050e1002e64ec53b5cd341433138365536cc77d8889ee3427124
Parent
445d1a86bac9ddf…
1 file changed
+3
-1
+3
-1
| --- www/password.wiki | ||
| +++ www/password.wiki | ||
| @@ -63,11 +63,13 @@ | ||
| 63 | 63 | for "anonymous" uses one-time captchas not persistent passwords. |
| 64 | 64 | |
| 65 | 65 | <h2>Web Interface Authentication</h2> |
| 66 | 66 | |
| 67 | 67 | When a user logs into Fossil using the web interface, the login name |
| 68 | -and password are sent in the clear to the server. The server then | |
| 68 | +and password are sent in the clear to the server. For most modern fossil | |
| 69 | +server setups with redirect-to-https enabled, this will be protected by the | |
| 70 | +SSL connection over HTTPS so it cannot be easily viewed. The server then | |
| 69 | 71 | hashes the password and compares it against the value stored in USER.PW. |
| 70 | 72 | If they match, the server sets a cookie on the client to record the |
| 71 | 73 | login. This cookie contains a large amount of high-quality randomness |
| 72 | 74 | and is thus intractable to guess. The value of the cookie and the IP |
| 73 | 75 | address of the client is stored in the USER.COOKIE and USER.IPADDR fields |
| 74 | 76 |
| --- www/password.wiki | |
| +++ www/password.wiki | |
| @@ -63,11 +63,13 @@ | |
| 63 | for "anonymous" uses one-time captchas not persistent passwords. |
| 64 | |
| 65 | <h2>Web Interface Authentication</h2> |
| 66 | |
| 67 | When a user logs into Fossil using the web interface, the login name |
| 68 | and password are sent in the clear to the server. The server then |
| 69 | hashes the password and compares it against the value stored in USER.PW. |
| 70 | If they match, the server sets a cookie on the client to record the |
| 71 | login. This cookie contains a large amount of high-quality randomness |
| 72 | and is thus intractable to guess. The value of the cookie and the IP |
| 73 | address of the client is stored in the USER.COOKIE and USER.IPADDR fields |
| 74 |
| --- www/password.wiki | |
| +++ www/password.wiki | |
| @@ -63,11 +63,13 @@ | |
| 63 | for "anonymous" uses one-time captchas not persistent passwords. |
| 64 | |
| 65 | <h2>Web Interface Authentication</h2> |
| 66 | |
| 67 | When a user logs into Fossil using the web interface, the login name |
| 68 | and password are sent in the clear to the server. For most modern fossil |
| 69 | server setups with redirect-to-https enabled, this will be protected by the |
| 70 | SSL connection over HTTPS so it cannot be easily viewed. The server then |
| 71 | hashes the password and compares it against the value stored in USER.PW. |
| 72 | If they match, the server sets a cookie on the client to record the |
| 73 | login. This cookie contains a large amount of high-quality randomness |
| 74 | and is thus intractable to guess. The value of the cookie and the IP |
| 75 | address of the client is stored in the USER.COOKIE and USER.IPADDR fields |
| 76 |