[
Lists Home |
Date Index |
Thread Index
]
> >No. I'm saying without rest I send it once, store it at the server,
> >use a cookie to refer to it in future transactions.
>
> Is the cookie sent unencrypted? If so, and we're not using SSL (as is
> the case in many cookie scenarios) what, if anything, prevents an
> attacker from snarfing the authentication cookie as it makes its way
> back from the client to the server (or in the other direction) and
> adding that to its own requests to the same server?
The cookie that references the server state must be treated almost as
securely as a cookie containing password information, or an HTTP
basic-auth application. In practice, this often means SSL for data
privacy while in transit. Other mechanisms -- the credentials could
record the client's IP address, for example -- are also possible.
The differences between a login session and basic-auth/digest style,
is two-fold. First, if stolen, the impersonation is good for a
finite time, not until I notice and change my password. The second,
is that the adversary only has session credentials, and not my
long-term login password. Those are very significant differences.
So the attacks you are concerned about don't happen, and if they did
much less damage is done.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
