From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Wed, 15 Jan 2014 19:29:48 +0100
Subject: authentication support: work has begun!
In-Reply-To: <4500221.0uF48Q1BnU@al>
References: <CAHmME9pLfxyuEPYa2c92Gq4+O4aPkP+_pfUv-N1RMUPpPvVUjw@mail.gmail.com>
 <14648906.FqII7cU9cN@al>
 <CAHmME9qUPhGUJu3DYp=cqfEqd-A7RyTVxHrz2tyqG64MsZi_7A@mail.gmail.com>
 <4500221.0uF48Q1BnU@al>
Message-ID: <CAHmME9pcgyHDX7e4=MC=yaSZ1o7HcmRYAN-CVp=b8ic0AkoTfg@mail.gmail.com>

On Wed, Jan 15, 2014 at 7:17 PM, Peter Wu <lekensteyn at gmail.com> wrote:
> Aside from storing passwords in plaintext, I see no other obvious issues.

I'm not too keen on this either. Care to submit a patch against
jd/authentication that does a crypt() / mkpasswd salted hash
situation? Does luacrypto support this? Investigate it?

> The current login page is cachable, you should add "Cache-Control: private" to
> prevent that.

Excellent idea.