[WEB SECURITY] IP address change: relogin

Stephan Wehner stephanwehner at gmail.com
Thu May 22 15:20:02 EDT 2008


On Wed, May 21, 2008 at 8:27 PM, Bil Corry <bil at corry.biz> wrote:
> One final method that I've contemplated, but haven't had time to build a
> PoC, is to use HTTP Digest Authentication and use XHR to passively
> "authenticate" the user with the username being their session ID, and the
> password a random value.  Then using Digest's nonce, you can prevent replay
> attacks, etc.  The downside is you have to initially seed the browser with...

Similar to this one?

http://www.peej.co.uk/articles/http-auth-with-html-forms.html

Stephan

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list