[WEB SECURITY] Web security improvement ideas

Ivan Ristic ivan.ristic at gmail.com
Thu May 26 04:44:32 EDT 2005

On 5/26/05, Joe Teff <joe at joeteff.com> wrote:
> So if SSL is mandatory, what is wrong with basic auth?

Basic authentication makes passwords available in clear text, making
it possible for whoever controls the server to collect them. As a
consequence, if a phisher manages to redirect a user to a rogue web
site that looks like a real one, he will learn the user's password.

> The only way you can "hide" sessions tokens from the client is to not send
> them out. If they are in the HTTP request or response then they are
> available to the client.

That's fine, as long as they are only available to the client the
session belongs to. The idea is to make it impossible for anyone else
to get the tokens. However, even that (whether session tokens are
private or public) becomes irrelevant when authentication is performed
for every HTTP request. If they don't know the password they can't get
in. BTW, this does not mean the user must explicitly authenticate on
every request, or even on every session. If there is no need to
authenticate users, a client and the server should agree on a random
shared secret at the beginning of the session.

Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list