Archive for January, 2010
Sorry about the lack of new posts!
Posted by admin in Developer updates, News and updates on January 31st, 2010
I apologize for the lack of posts lately. I have yet to post anymore tutorials on how to use some of SnowCMS’s tools, like how I did with the API class. But don’t worry, although I have not been that active posting here, I have been fairly busy working on SnowCMS.
I recently completed a new tool for SnowCMS, the Form class. The Form class allows you to create forms (if you didn’t notice) that can then be hooked into via the API and changed, without you needing to do any extra effort, you simply make the Form how you want to, and then display it. Right before the form is displayed (or processed), the API runs a hook which allows the modification of the form, from adding, changing and removing fields. In fact, currently the registration form uses this Form class, and the very first SnowCMS plugin hooks into the form and adds a CAPTCHA verification image. It’s very simple to do!
For the time being, I need to get some sleep (it is 12:15AM at the time of this post), but I hope to soon create a more in depth guide to the creation of forms using the Form class.
Cya soon!
Do you want to get involved?
Posted by admin in News and updates on January 25th, 2010
As time progresses, the codebase of SnowCMS, of course, increases. However, as of right now, SnowCMS is primarily worked on by one person. Sure, things get done, and without communication issues, but that is simply because there is little communication happening! 
Right now I am looking for others to become actively involved with SnowCMS, such as people who are interested in themes (we need people to tell the developers how to allow the maximum amount of customization for theme creators, along with making themes easier to create), plugins (for this, we need people who are interested in creating plugins for SnowCMS, that way they can tell us if the system needs more extensibility, such as more hooks and filters, and where), but also development of SnowCMS itself. Though if you want to be a developer at the core level of SnowCMS, you will need to start out at the lower ranks and rise up, as we need to be able to tell whether or not you are fit to have such access.
So if you are interested in any way, go to the SnowCMS Dev Forum, register an account, and introduce yourself!
Hope to see you there!
Keeping your credentials secure
Posted by admin in Developer updates on January 20th, 2010
One big goal of SnowCMS is providing a secure system, but of course, who wouldn’t want that? In order to keep that system secure, user credentials also need to be kept secure, because if someone gets a hold of that information, especially of a member who has powers, your site would likely become compromised.
So how do we keep your password secure? For starters, the password kept in the members database is salted with your username and then encrypted using SHA1. By salting your password, it helps prevent the use of rainbow tables (You know, those sites that have databases with plain text strings and their encrypted counterpart). Then there is logging in, when you submit your credentials through the log in form, your password gets salted with your supplied username, hashed using SHA1, then salted with a randomly generated string which is done by the server. Your plain text password is deleted before the form is sent to the server. Now, this only will occur if you have JavaScript enabled, of course. Once the hashed password is sent to the server, it takes out your members row, and salts (The last salt generated) the hashed password in the database and hashes it, then compares it to the one received from you. If they match, that means your password is correct.
Securing your password before being sent to the server might seem a bit overkill, but it can be very useful. As you never know, someone could be logging POST data, which would contain your log in credentials. All they would get would be your encrypted password which is salted with a randomly generated string. The only way they could ever use that password to log in to your account would be if the server were to generate the same random string, which is highly unlikely.
There are two ways that SnowCMS keeps your password from ever being seen by human eyes, but there is still one more. Cookies! No, not those kind, the Internet kind. With every page load, your browser sends the cookies to the server, where they can then be used to identify whether or not you are logged in. Instead of sending your password just with your username salting the password, there is also a randomly generated hash in the database that salts your password in the cookie… Just in case
Not all people have access to SSL, which would stop such possible attacks, which is why we at SnowCMS have decided to use such tactics to protect not only the system itself from security issues, but also the people who use our system as well.
Just a reminder, the SnowCMS Dev Forum is now open to the public, if you are interested in having part in the development, or just like to see what is happening, you should come and join us.
Till next time, cya!