[Melbourne-pm] Web auth meth
Mathew Robertson
mathew.robertson at netratings.com.au
Wed Sep 10 17:00:08 PDT 2008
>> It seems to be that every web browser on the planet know about Basic
>> Auth and most know about Digest Auth and Digest Auth seems to be
>> about secure as anything when used with SSL.
>
> Actually there is no point in using digest auth with SSL. Digest auth
> is useful for non-SSL connections.
>
sort of... Digest auth is still susceptible to replay-attack. You might
as well simply hash your password, then send it over basic auth -> it
will give you close to the same level of security.
> But personally I would be using a cookie.
>
There was a discussion a few weeks ago on creating a one-time ID, that
would be useful code to use.
>> So why reinvent a session logging system when there doesn't appear to
>> be a need? So I've been asking around looking for why some of the
>> more complex systems are used. The biggest reason cited so far is
>> "You can't make a nice looking login form"... hmmmm.... I think thats
>> not entirely true.
>
> Actually it is true for Digest and Basic auth. You have no control on
> that login form - you must use the Browser Built in. But remember it
> is just like using Email login, or FTP login - it is up to the
> application.
Thats not strictly true, ie;
1. go to page located behind https url,
2. page contains a username/password form entry fields
3. the onsubmit handler sends XMLHttpRequest with the appropriate
auth-headers set using those form fields
>
> If you use cookies (like 99% of the most popular sites, including your
> bank) - you have complete control.
provided you dont forget the "httponly" and the "secure" cookie
attributes...!
cheers,
Mathew Robertson
More information about the Melbourne-pm
mailing list