On Wed, 2011-08-24 at 16:46 +0000, Fredrik Jonson wrote: > Oleg Kalnichevski wrote: > > > I contend that preemptive authentication is conceptually flawed and poses > > major security risks in the overwhelming majority of cases. > > What is it that is conceptually flawed with using preemtive authentication, > when you with certainty know the http request that is about to be performed > always will require authentication? >
The overhead of letting the first request in a session to get challenged by the origin server and caching the authentication state for the rest of the session is virtually negligible. The whole idea of using preemptive authentication to order to save one HTTP round-trip is a complete and utter idiocy. > And what are these major security risks involved in using preemtive > authentication against known and secured adresses? > If you control both ends probably none, as long as everything stays constant. But it only takes a small configuration mistake on the client side or a wrong redirect on the server side to get your credentials sent to a wrong site in _clear_ text. I have seen that happen too many times. Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
