[WEB SECURITY] Password-less login ?
rohirp92 at yahoo.com
Fri Feb 1 14:41:48 EST 2013
People often do confuse whether URI is encrypted when HTTPS is used. It is indeed and as phil mentioned, only domain name and a bit other network information is logged on transparent proxies. T
Though password less login is great idea, it has some practical disadvantages like remembering very long URL with token, expiry of those tokens. It might work in some small set-up of enterprise level web app but difficult to scale in multi-user applications.
From: BSDwiz <bsdwiz at gmail.com>
To: Glenn Pierce <glennpierce at gmail.com>
Cc: "websecurity at lists.webappsec.org" <websecurity at lists.webappsec.org>
Sent: Monday, January 28, 2013 4:23 PM
Subject: Re: [WEB SECURITY] Password-less login ?
yep, after the domain name its all encrypted via http(s). but it would still be in the clear in the web server logs.
On Jan 28, 2013, at 3:07 PM, Glenn Pierce <glennpierce at gmail.com> wrote:
Thanks for the good ideas everyone. I have a few things to think about.
>When accessing through https what will upstream proxies log ? Just the encrypted url right ?
>On 28 January 2013 09:13, Glenn Pierce <glennpierce at gmail.com> wrote:
>Hi I like to have opinions on the security of logging into a website
>>with just a uid
>>I have inherited a system that provides a login for tablets which login in this manner.
>>(It needs an automated login for the tablets)
>>Obviously the url in required to be encrypted by always requiring https.
>>We often provide one time tokens like this when someone has forgotten their password.
>>But why not allow this to be a permanent login ?
>>Why is requiring a uid like above worst than a username,password ?
>>I believe I am missing something stupid as you would see more of this kind of thing.
>>That makes be nervous.
>>Thanks for any feedback.
>The Web Security Mailing List
>WebSecurity RSS Feed
>Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>WASC on Twitter
>websecurity at lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity