On 10/12/07, Daniel Rossi <[EMAIL PROTECTED]> wrote: > How is it possible to securely > expose the session id, ie encrypting it and adding as a javascript > variable , so it can be sent along with the request to the src of the > plugin object code.
Hi Daniel, The only way to securely communicate something between the HTTP server and the client is to encrypt it using a shared secret and HTTP provides no mechanism for exchanging shared secrets. There are two ways I can think of to secure communication between the client and server: 1) Use HTTPS and encrypt the entire transaction. Note that you don't have to send the whole page over to HTTPS. You could just make certain links HTTPS. 2) Ask the user to enter a password, hash it with md5 in JavaScript and submit that in the request. Do the same on the server and check the password against a database (aka digest authentication). Of course it might be a little cumbersome to require that the user enter a password every time they want to load the plugin. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/
