[WEB SECURITY] Password-less login ?

Glenn Pierce glennpierce at gmail.com
Mon Jan 28 16:07:27 EST 2013


Thanks for the good ideas everyone. I have a few things to think about.

When accessing through https what will upstream proxies log ? Just
the encrypted url right ?


On 28 January 2013 09:13, Glenn Pierce <glennpierce at gmail.com> wrote:

> Hi I like to have opinions on the security of logging into a website
> with just a uid
> ie
>
>
> https://someserver.com/login/a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2
>
> I have inherited a system that provides a login for tablets which login in
> this manner.
> (It needs an automated login for the tablets)
> Obviously the url in required to be encrypted by always requiring https.
>
>
> We often provide one time tokens like this when someone has forgotten
> their password.
> But why not allow this to be a permanent login ?
>
> Why is requiring a uid like above worst than a username,password ?
> I believe I am missing something stupid as you would see more of this kind
> of thing.
> That makes be nervous.
>
> Thanks for any feedback.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130128/37e4ba5e/attachment-0003.html>


More information about the websecurity mailing list