xml-dev - Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip at

Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip at

[ Lists Home | Date Index | Thread Index ]

To: Rich Salz <rsalz@datapower.com>
Subject: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
From: Elliotte Rusty Harold <elharo@metalab.unc.edu>
Date: Tue, 6 Jan 2004 12:02:08 -0500
Cc: XML-DEV <xml-dev@lists.xml.org>
In-reply-to: <3FFAE7EF.9060702@datapower.com>
References: <Pine.LNX.4.44L0.0401052326150.4127-100000@smtp.datapower.com><p06010203bc2071a8d656@[192.168.254.4]> <3FFAE7EF.9060702@datapower.com>

At 11:53 AM -0500 1/6/04, Rich Salz wrote:
>I know about digest-auth.  Yes, it sends a hash (not encrypted 
>password) rather than the plaintext.  But it sends it every time 
>which they admit isn't terribly secure, it is subject to dictionary 
>attacks (with new data every time the nonce expires), and it uses 
>the deprecated MD-5 as opposed to SHA-1.  It also doesn't *seem* (in 
>my quick test) to be supported by IE, which knocks out a large part 
>of the net.  (Always a tip-off when folks use the phrase "supported 
>by modern browsers," I've done it myself.:)

Are you really sure about IE? According to 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sec_auth_websiteauth.asp 
IIS definitely supports it, and that page also says IE 5 or later 
works with it. Possibly it depends on which version and platform of 
IE we're talking about.

I think it's secure enough for most uses that don't require full SSL. 
After all, most sites do use SSL for credit card info and similar 
sensitive information.

>Good security requires state.  Bad security leaves your login 
>passwords lying around. Using a cookie to maintain a timed-out login 
>session seems the best way to do good and avoid bad.

Browsers can timeout passwords. This is an option in Mozilla, at 
least 1.3 and later, and probably other browsers. Security wise this 
is the right place to put it since it allows the user to choose the 
security policy that's appropriate for them. They can select much 
stricter policies than the sites recommend up to an including 
requiring a master password each time the it's needed (probably too 
extreme). I agree there's no reason the login password should be 
lying around after a specified timeout period, but the timeout period 
should be under the control of the client, not the server. Today many 
servers set essentially unlimited timeouts.
-- 

   Elliotte Rusty Harold
   elharo@metalab.unc.edu
   Effective XML (Addison-Wesley, 2003)
   http://www.cafeconleche.org/books/effectivexml            
   http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA

Follow-Ups:
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
  - From: Rich Salz <rsalz@datapower.com>

References:
- RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
  - From: Rich Salz <rsalz@datapower.com>
- RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
  - From: Elliotte Rusty Harold <elharo@metalab.unc.edu>
- Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
  - From: Rich Salz <rsalz@datapower.com>

Prev by Date: RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Participation
Next by Date: RE: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
Previous by thread: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
Next by thread: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip ation
Index(es):
- Date
- Thread