Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Webmail.bellsouth.net security problems

From: emarshal () LOGIC NET (Edward S. Marshall)
Date: Tue, 25 Aug 1998 21:19:55 -0500

On Tue, 25 Aug 1998, Marc Slemko wrote:

This is one of the situations where cookies are actually one of the better
solutions.  HTTP authentication is even better, but many people dislike it
because they can't control the login prompt and due to how it can be
cached by the client.


Another solution is to supply this data via POST instead of in the URL.
While it has an impact on design (everything has to be submitted via
buttons instead of just clicking links), it avoids any data being sent in
the URL. Do this with SSL, and the data should never be cached by an
intermediate machine.

SSL is a must with this type of thing anyway; the whole caching issue
becomes moot that way, along with a number of other security concerns.

--
-------------------.  emarshal at logic.net  .---------------------------------
Edward S. Marshall  `-----------------------'   http://www.logic.net/~emarshal/
Previous By Date Next
Previous By Thread Next

Current thread: