[Melbourne-pm] Web auth meth

Scott Penrose scottp at dd.com.au
Wed Sep 10 17:19:03 PDT 2008

On 11/09/2008, at 10:00 AM, Mathew Robertson wrote:
>>> It seems to be that every web browser on the planet know about  
>>> Basic Auth and most know about Digest Auth and Digest Auth seems  
>>> to be about secure as anything when used with SSL.
>> Actually there is no point in using digest auth with SSL. Digest  
>> auth is useful for non-SSL connections.
> sort of... Digest auth is still susceptible to replay-attack.  You  
> might as well simply hash your password, then send it over basic  
> auth -> it will give you close to the same level of security.

Absolutely. I was being a bit simplistic sorry. What I meant is that  
if you are using SSL, you don't need digest auth.

> Thats not strictly true, ie;
> 1. go to page located behind https url,
> 2. page contains a username/password form entry fields
> 3. the onsubmit handler sends XMLHttpRequest with the appropriate  
> auth-headers set using those form fields

Nice interesting solution. I will play with that. How well does that  
work on IE6?
Mind you I still would not use it, as it supports no safe logout and  
no ability to timeout or logout from the server end.

>> If you use cookies (like 99% of the most popular sites, including  
>> your bank) - you have complete control.
> provided you dont forget the "httponly" and the "secure" cookie  
> attributes...!

Yes. There is lots to do to secure the cookies. Uniqueness and un- 
guess-able only being part of the problem.


More information about the Melbourne-pm mailing list