[WEB SECURITY] Password-less login ?

Ray gunblad3 at gmail.com
Tue Jan 29 02:11:36 EST 2013


Upstream proxies only have visibility over the network information
(hostname, IP and port, etc.) for HTTPS connections.  That is, if they're
not acting as MITM proxies on purpose or not.

Regards,
Ray


On Tue, Jan 29, 2013 at 5:07 AM, Glenn Pierce <glennpierce at gmail.com> wrote:

> Thanks for the good ideas everyone. I have a few things to think about.
>
> When accessing through https what will upstream proxies log ? Just
> the encrypted url right ?
>
>
> On 28 January 2013 09:13, Glenn Pierce <glennpierce at gmail.com> wrote:
>
>> Hi I like to have opinions on the security of logging into a website
>> with just a uid
>> ie
>>
>>
>> https://someserver.com/login/a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2
>>
>> I have inherited a system that provides a login for tablets which login
>> in this manner.
>> (It needs an automated login for the tablets)
>> Obviously the url in required to be encrypted by always requiring https.
>>
>>
>> We often provide one time tokens like this when someone has forgotten
>> their password.
>> But why not allow this to be a permanent login ?
>>
>> Why is requiring a uid like above worst than a username,password ?
>> I believe I am missing something stupid as you would see more of this
>> kind of thing.
>> That makes be nervous.
>>
>> Thanks for any feedback.
>>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130129/bad639f6/attachment-0003.html>


More information about the websecurity mailing list