[WEB SECURITY] Password-less login ?

Jim Manico jim at manico.net
Mon Jan 28 15:07:09 EST 2013


Well said but kick it up a notch. I actually recommend keeping *all
sensitive data* out of URLs for just this reason. Passwords, PII,
Authentication tokens - anything you do not want leaking should stay out
of URL's (HTTP/S GETS).

The more positive rule is to only submit sensitive data over HTTPS POST.

There are of course additional sub rules in the age of AJAX and JSON,
but this is a good start.

Cool?

Jim Manico
@Manicode

> Glenn, it's considered best practice not to send auth tokens in URL due to risks of upstream logging , also proxies and firewalls may log it and then making it permanent would only increase the risk.
>
> Thanks 
> Subin 
>
> Sent from my iPhone
>
> On Jan 28, 2013, at 4:13 AM, Glenn Pierce <glennpierce at gmail.com> wrote:
>
>> Hi I like to have opinions on the security of logging into a website
>> with just a uid 
>> ie
>>
>> https://someserver.com/login/a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2
>>
>> I have inherited a system that provides a login for tablets which login in this manner.
>> (It needs an automated login for the tablets)
>> Obviously the url in required to be encrypted by always requiring https.
>>
>>
>> We often provide one time tokens like this when someone has forgotten their password.
>> But why not allow this to be a permanent login ?
>>
>> Why is requiring a uid like above worst than a username,password ?  
>> I believe I am missing something stupid as you would see more of this kind of thing.
>> That makes be nervous.
>>
>> Thanks for any feedback.
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130128/8c0ed5af/attachment-0003.html>


More information about the websecurity mailing list