Re: [CFCDEV] webservices and authentication

Thu, 07 Sep 2006 10:28:14 -0700 

Rob Brooks-Bilson wrote:
Using HTTPs instead of HTTP takes care of the packet sniffing issues when dealing with web services authentication. Combined with the other techniques mentioned here, you end up with "reasonable" security/authentication. 


  

Yes, I thought about mentioning HTTPS.  But, the way I read it, I 
thought only the value was encrypted (say, via cf encrypt()), not the 
entire request.





-Rob





Sent by: [EMAIL PROTECTED]
Sammy Larbi <[EMAIL PROTECTED]>


09/07/2006 09:53 AM 
Please respond to cfcdev



To:
[email protected]

cc:


bcc:


Subject:
Re: [CFCDEV] webservices and authentication






Ed Griffiths wrote:

  

The webservice expects an encrypted usr/pwd combo, authenticates the 
    

login

  

(say against LDAP or DB), then passes back a valid JSESSIONID in the

response that must be sent with all subsequent webservice requests (and 
    

also

  

checks the incoming request IP address).


    

As far as I can tell, I would think that someone sniffing your packets 
could still grab the encrypted user/pwd and send the same encrypted 
combo to the webservice, which sort of defeats the purpose of encrypting 
it in the first place.


Or, did I miss something (as often happens)?

-Sam



You are subscribed to cfcdev. To unsubscribe, please follow the 
instructions at http://www.cfczone.org/listserv.cfm


CFCDev is supported by:
Katapult Media, Inc.
We are cool code geeks looking for fun projects to rock!
www.katapultmedia.com


An archive of the CFCDev list is available at 
www.mail-archive.com/[email protected]







You are subscribed to cfcdev. To unsubscribe, please follow the instructions at 
http://www.cfczone.org/listserv.cfm

CFCDev is supported by:
Katapult Media, Inc.
We are cool code geeks looking for fun projects to rock!
www.katapultmedia.com

An archive of the CFCDev list is available at 
www.mail-archive.com/[email protected]




  




You are subscribed to cfcdev. To unsubscribe, please follow the instructions at 
http://www.cfczone.org/listserv.cfm

CFCDev is supported by:
Katapult Media, Inc.
We are cool code geeks looking for fun projects to rock!
www.katapultmedia.com

An archive of the CFCDev list is available at 
www.mail-archive.com/[email protected]























					Reply via email to