WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Securing password between webserver & appserver.

From: Ken Schaefer <Ken () adOpenStatic com>
Date: Tue, 8 Sep 2009 13:48:41 +1000
Is this an internal application? Kerberos can be used to solve this problem for internal apps.

Alternatively, can you use client certificate based authentication?

Cheers
Ken

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Chintan Oza
Sent: Monday, 7 September 2009 2:04 PM
To: webappsec () securityfocus com
Subject: Securing password between webserver & appserver.

Dear All,

We have a web application which perform user authentication on
id+password basis.

The architecture is like this.
Browser<-HTTPS->WebServer<-->AppServer

We have a requirement where password should not be available to the WebServer (even in hashed format).

Only solution that I can think of is having an Applet performing PKI encryption on the password before submitting the 
form.

Please suggest if there are any better alternatives.

Thanks,

Chintan
Previous By Date Next
Previous By Thread Next

Current thread: