[WEB SECURITY] Password-less login ?

Glenn Pierce glennpierce at gmail.com
Mon Jan 28 04:13:41 EST 2013


Hi I like to have opinions on the security of logging into a website
with just a uid
ie

https://someserver.com/login/a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2

I have inherited a system that provides a login for tablets which login in
this manner.
(It needs an automated login for the tablets)
Obviously the url in required to be encrypted by always requiring https.


We often provide one time tokens like this when someone has forgotten their
password.
But why not allow this to be a permanent login ?

Why is requiring a uid like above worst than a username,password ?
I believe I am missing something stupid as you would see more of this kind
of thing.
That makes be nervous.

Thanks for any feedback.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130128/b5ae40a5/attachment-0003.html>


More information about the websecurity mailing list