Alan Burlison wrote:
> It's more an acceptance of the fact that I can't stop people using the > browser feature anyway ;-) Plus cookies are sent on each request, login > credentials are not, and login credentials will be supplied over SSL. > You are assuming the best case scenario. Are you sure that everybody using the site accesses it through a browser that will fill in the username and password automatically? If not then you must still account for the impact it will have on those who do not. I can tell you for a fact that the re-login restrictions placed on our tools such as SunSolve and IBIS have resulted in users creating scripts to keep them logged in. Scripts that have their password and username in the clear. Become too restrictive and you will decrease security as users will just start trying to work around your security measures. The less the users agree with your measures, the sooner that happens. As noted by others, the sections that truly need the security are small (perhaps many users will not even understand the need at all) and therefore the value of your restrictions to users will be small as well, thus they will try to circumvent the measures sooner. -- blu There are two rules in life: Rule 1- Don't tell people everything you know ---------------------------------------------------------------------- Brian Utterback - Solaris RPE, Sun Microsystems, Inc. Ph:877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom _______________________________________________ website-discuss mailing list [email protected]
