Re: Auto-login

Thu, 18 Jun 2009 14:40:19 -0700 


On 18 juin, 18:02, mars1412 <[email protected]> wrote:
> Isn't that insecure regarding 
> CSFR?http://www.openajax.org/whitepapers/Ajax%20and%20Mashup%20Security.ph...
> I must admit that I am a noob regarding security of Web-Apps, so
> please anyone correct me, if I misunderstood.

As Ian said, it's only insecure if you use that same cookie to
authenticate requests to your server (which we do not do: we're
passing the ticket within an Authorization header with a specially
crafted authenticate scheme: "Authorization: UbicAuth <ticket>"; in
other words, we're using and extending HTTP authentication
mechanisms).
It doesn't work for file uploads though, as they have to use a
FormPanel (I'm thinking about using some Flash, as I doubt Gears or
BrowserPlus would meet our client's requirements...). In that case,
we're passing the ticket in the URL; and because we're using SSL/TLS,
we're safe (not to mention that the app is in a WAN, inaccessible from
the Internet).

I'm not a security expert but I think we're pretty secure, probably
more than other web apps already deployed at that same client (not to
mention apps that were deployed before CSRF was really identified and
haven't been updated since then).

> Another question is: why don't you try to use the passwordmanager of
> the browsers?

We do too, but as Ian also said, it only remembers the values to fill
the fields with. I'm pretty sure your idea about using hidden fields
won't work: I doubt browsers would fill them and I think browsers
differ in when they fill the fields (Chrome seems to be waiting onload
to *look* into the password manager, so it fills the fields *after*
onload)


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---























					Reply via email to