WebApp Sec mailing list archives
Re: Encrypted URL
From: Michael Ströder <michael () stroeder com>
Date: Mon, 02 Feb 2004 09:01:08 +0100
Stephen de Vries wrote:
It looks like what you're attempting to do is to send data from the server to the client, and ensure that the client sends the same data back. But you already know what the values are before sending them to the client, and you can read the values sent back from the client, so why sign the values, when you can just compare them before and after the post? Why jump through hoops trying to send static data to the client, when you can store and control everything on the server side?
For most web apps it's not necessary to sign data to send it to the client and get it back. As you pointed out the web app already knows the data and therefore proper session management is sufficient.
But as Jeff Williams already mentioned it does make sense in a load-balancing architecture. Or I'd add it's useful when doing cross-site single sign-on, either Cookie- or URL-based. But the key management in such a situation is very tricky: PKI comes to mind...
Ciao, Michael.
Current thread:
- Re: Encrypted URL, (continued)
- Re: Encrypted URL Jeff Williams @ Aspect (Jan 30)
- Re: Encrypted URL Thomas Chiverton (Jan 30)
- Re: Encrypted URL Adam Tuliper (Jan 30)
- Re: Encrypted URL Tim Greer (Jan 30)
- Re: Encrypted URL dreamwvr () dreamwvr com (Jan 30)
- RE: Encrypted URL Bryan Murphy (Jan 30)
- Re: Encrypted URL Lars Johannesen (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Michael Ströder (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
(Thread continues...)