[WEB SECURITY] standards for session tokens
randall at raan.net
Fri Dec 1 01:32:52 EST 2006
On Thu, Nov 30, 2006 at 09:43:44PM -0500, Brian Eaton wrote:
> The scalability penalty is in needing to maintain the session store on
> the server.
I agree that this is an issue, but not I think a deal-breaker.
Starting from the given that sessions are very useful, a little extra
horsepower on the server seems a good trade-off.
> The reliability penalty comes when you start worrying about server
I'd trust a server under the control of a good sysadmin much more than
a user's browser cache.
> Maybe even shared across applications written in different
> languages, by different people?
With a little work, this is possible today. Not across different
servers, but OTOH a cross-server API to encrypted client-side
credentials would be an irresistable attack vector.
> Something that could be reviewed, attacked, improved, and eventually
> widely deployed and widely trusted?
I think that's a nice idea, but the bottom line is that storing
encrypted credentials on the client requires trusting that client.
That's the root of many security problems, and is IMHO intractable.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: Digital signature
More information about the websecurity