[WEB SECURITY] Password-less login ?
subin.net at gmail.com
Mon Jan 28 14:57:52 EST 2013
Glenn, it's considered best practice not to send auth tokens in URL due to risks of upstream logging , also proxies and firewalls may log it and then making it permanent would only increase the risk.
Sent from my iPhone
On Jan 28, 2013, at 4:13 AM, Glenn Pierce <glennpierce at gmail.com> wrote:
> Hi I like to have opinions on the security of logging into a website
> with just a uid
> I have inherited a system that provides a login for tablets which login in this manner.
> (It needs an automated login for the tablets)
> Obviously the url in required to be encrypted by always requiring https.
> We often provide one time tokens like this when someone has forgotten their password.
> But why not allow this to be a permanent login ?
> Why is requiring a uid like above worst than a username,password ?
> I believe I am missing something stupid as you would see more of this kind of thing.
> That makes be nervous.
> Thanks for any feedback.
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity