Hi
When reading this
LoginSecurityFAQ<http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ>
String password = /*(get password from incoming JSON or GWT-RPC request)*/;
String hashFromDB = /*(obtain hash from user's db entry)*/;
boolean valid = BCrypt.checkpw(password, hashFromDB);
if ( valid ) generateSessionIDAndSendItBackToClient();
else sendErrorToClient("Wrong Username or Password.");
The article explained that the password is retrieved from the incoming JSON
or GWT-RPC.
If I read this correctly, this means the password is sent over the wire (and
not secured)?
On Wed, Aug 20, 2008 at 11:25 PM, walden <[EMAIL PROTECTED]>wrote:
>
> Hi cresteb,
>
> When contemplating security for a network application, you have to ask
> yourself how secure is secure enough. Security on the web is like the
> locks on your doors: there is no sure way to prevent all attacks; you
> can only lower the value to potential attackers by making the attack
> harder to achieve.
>
> A couple of notes on your writeup (independently numbered):
>
> 1. For registration, I would never send a password over the wire, only
> its hash. If your entire interaction is going to be over SSL, ignore
> that, because it's a given.
>
> 2. HTTP Digest Authentication, which was by no means maturely
> implemented eight years ago, is a different story today. It
> alleviates most concerns by never sending identifying information in
> clear text and by changing salt (or whatever they call it) to make Man
> In Middle and other attacks harder. In my view, most of the gyrations
> developers go through today with http<-->https switching and sessions
> and session cookie duplication, and so on and so on, are a poor
> alternative to HTTP Digest, which deserves a fresh look.
>
> Hope this helps,
>
> Walden
>
>
> On Aug 19, 10:11 pm, cresteb <[EMAIL PROTECTED]> wrote:
> > Hello!
> >
> > I have some basic questions on the Register + Login + Keep session
> > alive process described on the Login Security FAQ.
> >
> > I know this is a little bit offtopic, but it would be really helpful
> > for me and other newbies if anyone can clarify some issues.
> >
> > This is how I see the process with some questions attached, please
> > correct it where necessary!
> >
> > Register:
> >
> > 1) Send username and password from client to server.
> > Q: I guess all the sites make this step over https so anyone can sniff
> > the password, right?
> >
> > 2) Store in the DB the username and the hash of the password.
> >
> > Login:
> >
> > 1) Send username and password from client to server (again over SSL).
> >
> > 2) Calculate the pasword's hash and look for a register in the DB that
> > contains that username and hash combination.
> >
> > 3) Return a session ID from server to client.
> > Q: Is this also done through https? If not, can't it be this session
> > id intercepted and used later to make a query as if you were other
> > user?
> >
> > During the session:
> >
> > 1) For every request from the client, include the session id, so the
> > server knows which user is sending the request and it is able to check
> > if the session is still active.
> > Q: Is secure enough just sending the session ID in order to identify
> > the user?
> > Q: The same as above...should it be sent through https?
> >
> > 2) Check if the session ID is valid or not. If its valid, send the
> > response with the data of the associated user.
> > Q: Is it also recommended to send a new session ID on each request so
> > we increase the security?
> >
> > Please, feel free to suggest me any document related with this topic.
> >
> > Thanks is advance!
> >
>
--
Hez
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
