The most common way of authenticating to web applications is:
Client: GET /login
Server: htmlform method=post
Client: POST /login
user=joesmith01password=secret
Server: 200 OK
Set-Cookie: acct=joesmith01,2008-10-21,sj89d89asd89s8d
The obvious problem with this is that passwords are
As I understand it: As an attacker, I can intercept that dXN...
string. Then I can simply make a login POST request myself at any time
in the future, sending the same encrypted string, and will get the
valid login cookies even though I don't know the password. So it
doesn't seem to work very
I notice there are specs for HTML5 dated today at:
http://www.whatwg.org/specs/web-apps/current-work/
http://www.w3.org/html/wg/html5/
diff -u shows a lot of difference, but most are cosmetic. (I gather
they're there because Hixie disagrees with some W3C pubrules but can't
get them changed.) Is
In the 11 September 2008 edition, section 1.6 of the HTML5 WD
(http://www.whatwg.org/specs/web-apps/current-work/#structure) links
to Repetition Templates at #repetition but there is no element with
that ID.
In a recent interview