[WEB SECURITY] Form-based HTTP Authentication Proof of Concept
Timothy D. Morgan
tmorgan at vsecurity.com
Thu Feb 25 11:09:14 EST 2010
Hello,
As a follow up to my paper advocating HTTP authentication in place of
cookies [1], I've built a simple sample application which demonstrates
how a combination of XMLHttpRequest and response code tricks can be
used to achieve form-based login, logout, and authenticated password
changes in the four most popular browsers:
http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip
Note that this is achieved without using any checks to determine what
browser is being used.
While this is promising, I still think we should have an HTTP-based
log out mechanism. In addition, the proposed W3C change to
XMLHttpRequest authentication behavior will make this code much
simpler.
cheers,
tim
1. http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list