[WEB SECURITY] Password-less login ?

BSDwiz bsdwiz at gmail.com
Mon Jan 28 19:23:24 EST 2013


yep, after the domain name its all encrypted via http(s). but it would still be in the clear in the web server logs.

-phil

On Jan 28, 2013, at 3:07 PM, Glenn Pierce <glennpierce at gmail.com> wrote:

> Thanks for the good ideas everyone. I have a few things to think about.
> 
> When accessing through https what will upstream proxies log ? Just the encrypted url right ?
> 
> 
> On 28 January 2013 09:13, Glenn Pierce <glennpierce at gmail.com> wrote:
>> Hi I like to have opinions on the security of logging into a website
>> with just a uid 
>> ie
>> 
>> https://someserver.com/login/a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2
>> 
>> I have inherited a system that provides a login for tablets which login in this manner.
>> (It needs an automated login for the tablets)
>> Obviously the url in required to be encrypted by always requiring https.
>> 
>> 
>> We often provide one time tokens like this when someone has forgotten their password.
>> But why not allow this to be a permanent login ?
>> 
>> Why is requiring a uid like above worst than a username,password ?  
>> I believe I am missing something stupid as you would see more of this kind of thing.
>> That makes be nervous.
>> 
>> Thanks for any feedback.
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130128/ebca3dfd/attachment-0003.html>


More information about the websecurity mailing list