Re: Forced Log on

Thor HW Fri, 3 Dec 1999 19:27:39 -0800
It depends.  For Internet apps then what hotmail.com is better than any
suggestion on here so far.  SSL for the login page, session tracking
there-after.  For Intranet apps, it might be ok (considering telnet passes
it clear text, as does a 3270 terminal) or using kerberos, certs, or
possibly supporting challenge-response would be better.

Thor HW
----- Original Message -----
From: Preston L. Bannister <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 03, 1999 10:15 AM
Subject: Re: Forced Log on


> Guess no one has yet made the point that without SSL (i.e. "https:"),
> using basic authentication is the equivalent of sending the username and
> password across the network as plain text.
>
> This is a remarkably *bad* idea.
>
> If you will *always* use SSL this isn't an issue.
> Unless of course someone cracks the SSL implementation...
>
> I dislike the idea so much that I don't use basic authentication.
> Instead I send a small applet that encrypts the username/password before
> sending it back to the server.
>
> The remainder of the semantics are then easy:
>
> ---
> State getState(HttpServletRequest request) {
>         HttpSession session = request.getSession(true);
>         State state = (State) session.getValue("my.state");
>         if (null == state) {
>                 state = new LoginState();
>                 session.setValue("my.state",state);
>         }
>         return state;
> }
>
> void Logout(HttpServletRequest request) {
>         HttpSession session = request.getSession(true);
>         session.setValue("my.state",null);
> }
> ---
>
> Once you reach the LoginState the login page is presented.
>
>
___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
Re: Forced Log on

Reply via email to
