[WEB SECURITY] Password-less login ?

Subin subin.net at gmail.com
Mon Jan 28 14:57:52 EST 2013


Glenn, it's considered best practice not to send auth tokens in URL due to risks of upstream logging , also proxies and firewalls may log it and then making it permanent would only increase the risk.

Thanks 
Subin 

Sent from my iPhone

On Jan 28, 2013, at 4:13 AM, Glenn Pierce <glennpierce at gmail.com> wrote:

> Hi I like to have opinions on the security of logging into a website
> with just a uid 
> ie
> 
> https://someserver.com/login/a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2
> 
> I have inherited a system that provides a login for tablets which login in this manner.
> (It needs an automated login for the tablets)
> Obviously the url in required to be encrypted by always requiring https.
> 
> 
> We often provide one time tokens like this when someone has forgotten their password.
> But why not allow this to be a permanent login ?
> 
> Why is requiring a uid like above worst than a username,password ?  
> I believe I am missing something stupid as you would see more of this kind of thing.
> That makes be nervous.
> 
> Thanks for any feedback.
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130128/e8712642/attachment-0003.html>


More information about the websecurity mailing list