OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation

[ Lists Home | Date Index | Thread Index ]

Rich Salz scripsit:

> HTTP auth requires SSL for all connections or else passwords can be 
> stolen -- do you include that in your "setup in 5 minutes" overhead? 
> With cookies, you only need SSL on the login page if you make the cookie 
> be an opaque ID into server state that has a time-out.  In general, 
> login cookies are more secure with less overhead.

What is to prevent replay attacks in the cookie scenario you describe?
A timeout only prevents *delayed* replay attacks.

They do not preach                              John Cowan
  that their God will rouse them                jcowan@reutershealth.com
    A little before the nuts work loose.        http://www.ccil.org/~cowan
They do not teach                               http://www.reutershealth.com
  that His Pity allows them                         --Rudyard Kipling,
    to drop their job when they damn-well choose.   "The Sons of Martha"


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS