On Dec 23, 2004, at 8:10 AM, Geoffrey Talvola wrote:
Frank Barknecht wrote:
Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote:
So the most secure solution is indeed to use URL secrets, like the
incrementing id already proposed (which must not be guessable) or
random secrets (like in Funcs.uniqueId(), but they lead to uglier
URLs), in combination with Cookie based sessions.
It might be nice to add some kind of secrets to Webkit.Page or another
place in WW.
The secret could be automatically placed in the path using a similar
mechanism to the one used for path sessions. This wouldn't be hard to
add.
I may take a crack at it sometime in January.
Geoff,
I found the article Dos and Don'ts of Client Authentication on the
Web from MIT to be enlightening when I implemented a security model
for the XML-RPC project I built upon Webware. Here is a link to the
abstract on usenix.org:
http://www.usenix.org/publications/library/proceedings/sec01/fu.html
The full text can be downloaded from that page. The Cookie Eaters page
also has this document and several others on topic.
http://cookies.lcs.mit.edu/
I would be interested in links for other documents on this topic,
should anyone care to share them.
hth,
Mark Phillips
Mophilly Associates
On the web at http://www.mophilly.com
On the phone at 619 444-9210
---
SF email is sponsored by - The IT Product Guide
Read honest candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
___
Webware-devel mailing list
Webware-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/webware-devel
