[WEB SECURITY] IP address change: relogin

Bil Corry bil at corry.biz
Fri May 23 19:17:34 EDT 2008

Stephan Wehner wrote on 5/22/2008 2:20 PM: 
> On Wed, May 21, 2008 at 8:27 PM, Bil Corry <bil at corry.biz> wrote:
>> One final method that I've contemplated, but haven't had time to build a
>> PoC, is to use HTTP Digest Authentication and use XHR to passively
>> "authenticate" the user with the username being their session ID, and the
>> password a random value.  Then using Digest's nonce, you can prevent replay
>> attacks, etc.  The downside is you have to initially seed the browser with...
> Similar to this one?
> http://www.peej.co.uk/articles/http-auth-with-html-forms.html

Yes, the code I use is below; it uses jQuery for the XHR request.

- Bil

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
		<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
		<title>Passive Login Demo</title>
		<script src="http://jqueryjs.googlecode.com/files/jquery-1.2.3.min.js" type="text/javascript"></script>
		<script language="JavaScript" type="text/javascript">
					url: "passwordCheck.lasso",
					cache: false,
					async: false,
					username: "myusername",
					password: "mypassword",
					success: function(html){
					error: function(html){
						alert("Sorry, unable to log you in.");
						return false;
	<body style="background: white;">
		<h1>Please wait...</h1>
		You are being authenticated.  Please turn on JavaScript if you see this message for longer than 30 seconds.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list