Full Disclosure mailing list archives
Re: [Webappsec] Paper: Weaning the Web off of Session Cookies
From: Chris Travers <chris () metatrontech com>
Date: Mon, 1 Feb 2010 12:19:30 -0800
Hi all; Just backing up Tim here a bit. In LedgerSMB 1.3, we decided to go to HTTP auth because of some changes in the security architecture of the software. After looking at alternatives, we concluded that http auth was likely to be the way to go long-run. There are some constraints which preclude the use of Digest authentication (negotiated and basic work OK, but the latter really requires SSL). In general the issues came down to: 1) We do pass-through authentication, and both authentication and permissions enforcement occurs on the database-level. 2) To do this effectively, we would have to either store the database passwords somewhere accessible to the web server (opening up possible attacks) or we would have to pass it back using some sort of secure, but reversible encryption scheme. Since the key would have to be accessible on the server, this didn't seem as secure to us as just requiring a usable auth token to be passed to the web server via http auth. There are substantial hurdles to overcome to make this work. However, moving to an HTTP auth framework means that a number of really powerful tools are gained. While it isn't standard yet, I hope the industry moves in that direction. I do think we need some sort of HTTP status or other header information that would tell a browser to clear the auth cache and not try again. Best Wishes, Chris Travers _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Webappsec] Paper: Weaning the Web off of Session Cookies Chris Travers (Feb 02)
- <Possible follow-ups>
- Re: [Webappsec] Paper: Weaning the Web off of Session Cookies Timothy D. Morgan (Feb 05)