I am building an application without a browser server (XULRunner-CherryPy) using HTTP for communication. The area I'm thinking about right now is user authentication. Since I do not have significant security knowledge, I would prefer to use proven approaches and ready-made libraries, trying to come up with and / or create something on my own.
I have read a lot of articles lately, and I can say that all I have left is a lot of disappointment, most of which have been contributed by this and these are blog posts.
It seems to me that I need:
- Securely store passwords in a database (adaptive hashing?)
- Secure wired user credentials (digest authentication? SSL?)
- Secure token authentication for subsequent requests (not sure about this)
So, the question arises: what are the modern (no headache) methods and / or libraries that implement this? (No confidential information, such as credit card numbers, will be stored).
I watched OAuth and they have a new version that they highly recommend using. The problem is that the documents are still under development, and there are no libraries implementing the new revision (?).
source
share