Lists Home |
Date Index |
Rich Salz scripsit:
> HTTP auth requires SSL for all connections or else passwords can be
> stolen -- do you include that in your "setup in 5 minutes" overhead?
> With cookies, you only need SSL on the login page if you make the cookie
> be an opaque ID into server state that has a time-out. In general,
> login cookies are more secure with less overhead.
What is to prevent replay attacks in the cookie scenario you describe?
A timeout only prevents *delayed* replay attacks.
They do not preach John Cowan
that their God will rouse them email@example.com
A little before the nuts work loose. http://www.ccil.org/~cowan
They do not teach http://www.reutershealth.com
that His Pity allows them --Rudyard Kipling,
to drop their job when they damn-well choose. "The Sons of Martha"