Encryption
- Never store passwords as plaintext
- Create a migration to encrypt them and save ciphertext
- Hash the combination of the secret and their password
- When someone logs in:
- Check that the encrypted version of the secret plus their password matches the stored value
- Create a random number as a cookie
- Store that and their ID in a dictionary of sessions
- When someone requests access to experimental data:
- If their cookie is in the sessions, use their staff ID
- Otherwise reject as unauthorized
- Still insecure
- We are getting their password over an unencrypted channel
- The cookie is being passed back and forth over the same channel
- Look at certificates in an appendix