[Freeciv-Dev] Re: client/server authentication (PR#1767)

["Raimar Falke" <rf13@xxxxxxxxxxxxxxxxx>]

On Mon, May 05, 2003 at 07:43:04AM -0700, Mike Kaufman wrote:
> > When the user enters an empty password, she is asked to confirm it instead
> > of being rejected. The confirm step should be skipped in this case IMHO.
> 
> hmm, this is Raimar's fault [mainly] since he wanted password confirmation
> in the client rather than the server, and I don't think I want to fix this
> since I agree with him. Only the server knows that a blank password is
> illegal. On some servers, this might not be the case. We don't want to put
> this information in the client.

I agree this isn't an easy problem. We currently don't test the user
name and the city name at the client. We currently test the leader
name at the client. For testing at the server speaks a better
interface because you usually destroy the dialogs after you sent the
packet and don't wait for the results. That the client has more
knowledge than it needs to be is a reason against testing at the
client.

I think we agree that the server has the rule over the decision if a
certain input (name or password) is allowed or not. I think we also
agree that even if the client does checks the client needs to be able
to cope with a rejection of the server. (I'm not sure if this is the
case for the nation selection dialog.)

I think that we should use is_sane_name (which is a very basic check)
for user-name, city-name and also the password.

        Raimar

-- 
 email: rf13@xxxxxxxxxxxxxxxxx
 "Just because you put a flag on the moon doesn't make it yours, it just
  puts a hole in the moon."