Hello,
As a follow up to my paper advocating HTTP authentication over
cookies [1], I've built a simple sample application which demonstrates
how a combination of XMLHttpRequest and response code tricks can be
used to achieve form-based login, logout, and authenticated password
changes in the four
> > Yes it does :/ But I think it's easier to get sites to implement OpenID
> > then it is to support HTTP Auth with certificates. Do you think it is
> > possible to use OpenID without cookies?
>
> I suspect it's difficult to use OpenID without cookies in today's
> browsers. The challenge is you
> This is why I try to use OpenID where possible, since my provider
> supports certificate login, which removes the necessity from the web
> site to support it (as long as it supports OpenID of course).
That's handy, but doesn't that mean the website you're accessing will
still use cookies once yo
Hi Daniel,
Thanks for taking the time to read through it.
> This is an area Mozilla has been interested in. You should talk to our
> "Mozilla Labs" folks who have been working on Identity in the browser.
> They are coming at it from a different angle but there's a lot of
> overlap between the pr
Hello,
I would like to bring your attention to a paper I published today:
http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
It includes a few minor security problems with HTTP authentication
dialog boxes and password managers in several browsers.
More importantly, i