[WEB SECURITY] Web security improvement ideas

Joe Teff joe at joeteff.com
Wed May 25 20:20:13 EDT 2005


So if SSL is mandatory, what is wrong with basic auth? I don't like basic
auth if all web app users have local accounts on the machine.

Any reliance on the client (browser) to do security is extending too much
trust. Ever hear of Sleuth, Web Proxy, Telnet, ... What ever the client
does is a bonus.

The only way you can "hide" sessions tokens from the client is to not send
them out. If they are in the HTTP request or response then they are
available to the client.

jt

-----Original Message-----
From: Ivan Ristic <ivan.ristic at gmail.com>
To: websecurity at webappsec.org
Date: Wed, 25 May 2005 12:45:02 +0100
Subject: [WEB SECURITY] Web security improvement ideas


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list