powered by Jive Software

The best authentication method

Hello buddies!

I’m developing a virtual community web site. In this community there are users and groups. Users can join/leave groups.

When users create an account, they enter their username/pwd. The system

saves this info on a DB and also creates a Linux account with the same

username/pwd. For logging into the community, users provide their

credentials (username/pwd). The system hashes (md5) the pwd and

compares it against the pwd saved on the DB (also md5-hashed).

Now I want to integrate Openfire with my system in the following manner:

1- Users can use their community credentials to log into Openfire.

2- Whenever an user join a group my system updates his roster by adding all other members of this group.

And I don’t want Openfire to directly access my DB (for security

reasons). And maybe my system will not have permission to update

Openfire’s DB (also for security reasons).

The best solution I could come up with was:

  • Configure Openfire to use PAM authentication, once each user has a Linux account. (done with step 1).

  • Whenever a user enters his pwd to log into the community, I use it to

authenticate on Openfire and perform all necessary roster updates

(using jabber msgs). (done with step 2).

The problem is:

There are cases where the user doesn’t need to type his password! The

session, with the help of cookies, can live 2 months or more, even if

the browser is closed, the session is still alive…

So my question is: Is it possible to keep the user ‘authenticated’ on

Openfire until his session on the virtual community expires?

Thanks a lot!!!