[WEB SECURITY] Password-less login ?
mikedawg at gmail.com
Mon Jan 28 18:31:18 EST 2013
Depends on the proxy and its functions. Many proxies now monitor SSL
traffic by acting as a go between.
On Jan 28, 2013 4:16 PM, "Glenn Pierce" <glennpierce at gmail.com> wrote:
> Thanks for the good ideas everyone. I have a few things to think about.
> When accessing through https what will upstream proxies log ? Just
> the encrypted url right ?
> On 28 January 2013 09:13, Glenn Pierce <glennpierce at gmail.com> wrote:
>> Hi I like to have opinions on the security of logging into a website
>> with just a uid
>> I have inherited a system that provides a login for tablets which login
>> in this manner.
>> (It needs an automated login for the tablets)
>> Obviously the url in required to be encrypted by always requiring https.
>> We often provide one time tokens like this when someone has forgotten
>> their password.
>> But why not allow this to be a permanent login ?
>> Why is requiring a uid like above worst than a username,password ?
>> I believe I am missing something stupid as you would see more of this
>> kind of thing.
>> That makes be nervous.
>> Thanks for any feedback.
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity