Using HTTPs instead of HTTP takes care of the packet sniffing issues when dealing with web services authentication. Combined with the other techniques mentioned here, you end up with "reasonable" security/authentication.
-Rob Sent by: [EMAIL PROTECTED] Sammy Larbi <[EMAIL PROTECTED]> 09/07/2006 09:53 AM Please respond to cfcdev To: [email protected] cc: bcc: Subject: Re: [CFCDEV] webservices and authentication Ed Griffiths wrote: > The webservice expects an encrypted usr/pwd combo, authenticates the login > (say against LDAP or DB), then passes back a valid JSESSIONID in the > response that must be sent with all subsequent webservice requests (and also > checks the incoming request IP address). > As far as I can tell, I would think that someone sniffing your packets could still grab the encrypted user/pwd and send the same encrypted combo to the webservice, which sort of defeats the purpose of encrypting it in the first place. Or, did I miss something (as often happens)? -Sam You are subscribed to cfcdev. To unsubscribe, please follow the instructions at http://www.cfczone.org/listserv.cfm CFCDev is supported by: Katapult Media, Inc. We are cool code geeks looking for fun projects to rock! www.katapultmedia.com An archive of the CFCDev list is available at www.mail-archive.com/[email protected] You are subscribed to cfcdev. To unsubscribe, please follow the instructions at http://www.cfczone.org/listserv.cfm CFCDev is supported by: Katapult Media, Inc. We are cool code geeks looking for fun projects to rock! www.katapultmedia.com An archive of the CFCDev list is available at www.mail-archive.com/[email protected]
