WebApp Sec mailing list archives

Re: Securing password between webserver & appserver.

From: Robert Hajime Lanning <robert.lanning () gmail com>
Date: Mon, 7 Sep 2009 09:58:49 +0100

On Mon, Sep 7, 2009 at 7:04 AM, Chintan Oza<chintan.oza () gmail com> wrote:

Browser<-HTTPS->WebServer<-->AppServer

We have a requirement where password should not be available to the
WebServer (even in hashed format).


CHAP should work just fine.  Just make sure the challenge is randomly generated.

-- 
And, did Galoka think the Ulus were too ugly to save?
                                         -Centauri

Current thread:

Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. Nikhil Wagholikar (Sep 07)
- Re: Securing password between webserver & appserver. Ali, Saqib (Sep 07)
  - Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
    - Re: Securing password between webserver & appserver. Ali, Saqib (Sep 07)
- Re: Securing password between webserver & appserver. Robert Hajime Lanning (Sep 07)
- RE: Securing password between webserver & appserver. EXT-Adams, Randall E (Sep 07)
- Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 07)
  - Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
    - Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 08)
- RE: Securing password between webserver & appserver. Ken Schaefer (Sep 07)
- Re: Securing password between webserver & appserver. Till Elsner (Sep 08)
  - Re: Securing password between webserver & appserver. bigbert007 (Sep 08)
    - RE: Securing password between webserver & appserver. Calderon, Juan Carlos (GE, Corporate, consultant) (Sep 09)
- <Possible follow-ups>
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 07)
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 08)