Camen Design Forum

Let's rewrite NoNonsense


I don't think I can solve the world's password problems -- not without the browser vendors support :P


if you are going to be using this as your personal blog you probably want a slightly higher level of security than can be offered by NNF’s current simplicity

In my mind the site owner always has access to the FTP/Host, so they've one more level of control than a regular user and wouldn't get pwnd in one hit. Security methods will be improved in the new system.

At the moment I am at the conceptual planning stage. What you may not know is that when it came to creating NNF, I experimented with several different radical possibilities.

I looked at using RSS+XSLT so that no PHP would be needed, but in-browser XSLT is broken and dying (in an ideal world we wouldn't be writing code that we have to maintain, everything should be declarative).

I also considered having all posting and replying being done through e-mail rather than web-forms. It would be a good way to do things, but processing text from e-mails is a bag of hurt given how badly mail clients munge the source and I didn't want to delve into that.

I went with HTTP_AUTH solely to avoid using a browser session that is less secure, tends to expire (more code and design needed) and was overkill for what I wanted. For a new, complete system I will use a session but I want to be very cautious about how much user data I store, how I store it and so-forth.

NNF's style has been that the user name & password hashes are the only things stored so these are useless if acquired. But if I move to storing e-mail addresses and the like I'm much more worried about the implications of storing, managing and protecting this information.

Because vendors have given up on RSS (damn them and their ignorance), I can see the need to have mail subscriptions, but there is much to consider and I want to handle it well.

Or maybe go password less? Several people have been trying this in the last couple of months. One-time-passwords sent to an app or email address, or just an instant login link in an email message. This would be pretty simplistic for users, but is non-trivial to implement.

I've never heard of this concept before, that is very interesting. It definitely improves account safety, but adds many hurdles to the end-user. Much to think about here.


(Leave this as-is, it’s a trap!)

Only the original author or a moderator can append to this post.

Pro tip: Use markup to add links, quotes and more.

Your friendly neighbourhood moderators: Kroc, Impressed, Martijn