[Melbourne-pm] Web auth meth
Scott Penrose
scottp at dd.com.au
Wed Sep 10 17:19:03 PDT 2008
On 11/09/2008, at 10:00 AM, Mathew Robertson wrote:
>>> It seems to be that every web browser on the planet know about
>>> Basic Auth and most know about Digest Auth and Digest Auth seems
>>> to be about secure as anything when used with SSL.
>>
>> Actually there is no point in using digest auth with SSL. Digest
>> auth is useful for non-SSL connections.
>>
> sort of... Digest auth is still susceptible to replay-attack. You
> might as well simply hash your password, then send it over basic
> auth -> it will give you close to the same level of security.
Absolutely. I was being a bit simplistic sorry. What I meant is that
if you are using SSL, you don't need digest auth.
> Thats not strictly true, ie;
> 1. go to page located behind https url,
> 2. page contains a username/password form entry fields
> 3. the onsubmit handler sends XMLHttpRequest with the appropriate
> auth-headers set using those form fields
Nice interesting solution. I will play with that. How well does that
work on IE6?
Mind you I still would not use it, as it supports no safe logout and
no ability to timeout or logout from the server end.
>> If you use cookies (like 99% of the most popular sites, including
>> your bank) - you have complete control.
> provided you dont forget the "httponly" and the "secure" cookie
> attributes...!
Yes. There is lots to do to secure the cookies. Uniqueness and un-
guess-able only being part of the problem.
Scott
More information about the Melbourne-pm
mailing list