On Dec 23, 2004, at 8:10 AM, Geoffrey Talvola wrote:
Frank Barknecht wrote:Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote: So the most secure solution is indeed to use "URL secrets", like the incrementing id already proposed (which must not be guessable) or random secrets (like in Funcs.uniqueId(), but they lead to uglier URLs), in combination with Cookie based sessions.
It might be nice to add some kind of secrets to Webkit.Page or another place in WW.
The secret could be automatically placed in the path using a similar
mechanism to the one used for path sessions. This wouldn't be hard to add.
I may take a crack at it sometime in January.
Geoff,
I found the article "Dos and Don'ts of Client Authentication on the Web" from MIT to be enlightening when I implemented a security model for the XML-RPC project I built upon Webware. Here is a link to the abstract on usenix.org:
http://www.usenix.org/publications/library/proceedings/sec01/fu.html
The full text can be downloaded from that page. The Cookie Eaters page also has this document and several others on topic.
http://cookies.lcs.mit.edu/
I would be interested in links for other documents on this topic, should anyone care to share them.
hth,
Mark Phillips Mophilly & Associates On the web at http://www.mophilly.com On the phone at 619 444-9210
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________
Webware-discuss mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/webware-discuss
