[Melbourne-pm] Web auth meth

Mathew Robertson mathew.robertson at netratings.com.au
Wed Sep 10 17:00:08 PDT 2008

>>  It seems to be that every web browser on the planet know about Basic 
>> Auth and most know about Digest Auth and Digest Auth seems to be 
>> about secure as anything when used with SSL.
> Actually there is no point in using digest auth with SSL. Digest auth 
> is useful for non-SSL connections.
sort of... Digest auth is still susceptible to replay-attack.  You might 
as well simply hash your password, then send it over basic auth -> it 
will give you close to the same level of security.
> But personally I would be using a cookie.
There was a discussion a few weeks ago on creating a one-time ID, that 
would be useful code to use.
>> So why reinvent a session logging system when there doesn't appear to 
>> be a need?  So I've been asking around looking for why some of the 
>> more complex systems are used.  The biggest reason cited so far is 
>> "You can't make a nice looking login form"... hmmmm.... I think thats 
>> not entirely true.
> Actually it is true for Digest and Basic auth. You have no control on 
> that login form - you must use the Browser Built in. But remember it 
> is just like using Email login, or FTP login - it is up to the 
> application.
Thats not strictly true, ie;
1. go to page located behind https url,
2. page contains a username/password form entry fields
3. the onsubmit handler sends XMLHttpRequest with the appropriate 
auth-headers set using those form fields
> If you use cookies (like 99% of the most popular sites, including your 
> bank) - you have complete control.
provided you dont forget the "httponly" and the "secure" cookie 

Mathew Robertson

More information about the Melbourne-pm mailing list