0

I am creating a login page with an authentication using LDAP. I could see LDAP3 packages for flask with login forms as well. I am looking for a form where the developer of the portal(say me or anyone in our team) should not be able to add any print statements and sniff the username and password when someone log in...

The flask form is exposing the password variable as a plain string. Even if it doesn't expose , it is possible to put a print statement in the flask_form validate function.

Is there any option available like the form is bundled as binary or c-python module where the developer has no option to sniff the credentials at all..

If not possible or no options available as they know off, any other framework like django helps for these usecase?

Improve this question

1 Answer 1

Reset to default
2

By design, server-side LDAP authentication requires the server receive the username & password from the user and relay that information to the LDAP server. This means a developer could insert a line that logs all credentials out somewhere, grab the passwords from process traces, dump memory, etc. If you don't want any of the developers or system administrators to have access to user passwords, use some type of federated authentication instead of LDAP.

In a federated authentication scheme, the user auths against some other source (e.g. ADFS) and your app checks a token that essentially says "this trusted other auth source says the person is Lisa".

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.