[WEB SECURITY] IP address change: relogin
Bil Corry
bil at corry.biz
Fri May 23 19:17:34 EDT 2008
Stephan Wehner wrote on 5/22/2008 2:20 PM:
> On Wed, May 21, 2008 at 8:27 PM, Bil Corry <bil at corry.biz> wrote:
>> One final method that I've contemplated, but haven't had time to build a
>> PoC, is to use HTTP Digest Authentication and use XHR to passively
>> "authenticate" the user with the username being their session ID, and the
>> password a random value. Then using Digest's nonce, you can prevent replay
>> attacks, etc. The downside is you have to initially seed the browser with...
>
> Similar to this one?
>
> http://www.peej.co.uk/articles/http-auth-with-html-forms.html
Yes, the code I use is below; it uses jQuery for the XHR request.
- Bil
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Passive Login Demo</title>
<script src="http://jqueryjs.googlecode.com/files/jquery-1.2.3.min.js" type="text/javascript"></script>
<script language="JavaScript" type="text/javascript">
$(function(){
$.ajax({
url: "passwordCheck.lasso",
cache: false,
async: false,
username: "myusername",
password: "mypassword",
success: function(html){
window.location="loggedin.lasso";
},
error: function(html){
alert("Sorry, unable to log you in.");
return false;
}
});
});
</script>
</head>
<body style="background: white;">
<h1>Please wait...</h1>
You are being authenticated. Please turn on JavaScript if you see this message for longer than 30 seconds.
</body>
</html>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list