Yes, I know, if you spend some more effort, you get a bit more security. (- define a time window where the code is valid) (- make the client IP part of the hashcode)
But in the end all variants are less secure than https. > -----Ursprüngliche Nachricht----- > Von: Ralph Einfeldt > Gesendet: Freitag, 9. August 2002 16:38 > An: Tomcat Users List > Betreff: AW: SSL just for a login page > > > That's no solution, as now the oneway hash can be snooped > and hijacked. You win absolutly nothing but wasted efford. > > > -----Ursprüngliche Nachricht----- > > Von: Durham David Cntr 805CSS/SCBE > [mailto:[EMAIL PROTECTED]] > > Gesendet: Freitag, 9. August 2002 16:30 > > An: Tomcat Users List > > Betreff: RE: SSL just for a login page > > > > 2) After a successful login, (still ssl, don't put anything > > session yet) pass the user's ID and a one-way hashed version > > of their password to a non ssl page that authenticates this > > information and sets up their session. > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>