Dear Wiki user, You have subscribed to a wiki page or wiki category on "Jakarta-httpclient Wiki" for change notification.
The following page has been changed by RolandWeber: http://wiki.apache.org/jakarta-httpclient/FrequentlyAskedApplicationDesignQuestions ------------------------------------------------------------------------------ [http://www.ietf.org/rfc/rfc2246.txt RFC 2246: The TLS Protocol Version 1.0] [http://www.ietf.org/rfc/rfc3546.txt RFC 3546: Transport Layer Security (TLS) Extensions] + + + + ------- + == Server Performing Login for Client == + + Once in a while, somebody wants a server or proxy to perform login to a different site on behalf of the client, + then handing the session over to the client. Since the authentication is already performed by the server or proxy, + the client is not supposed to ask the user for credentials. + + This is '''not possible'''. We mean it. It is '''not''' possible. Seriously. + Unless the server or proxy is in the same domain as the server to which you want to log in, + there is '''no way'''. + [[BR]] + If you find a way to make this work across domains, please report a security vulnerability against the browser. + + If your server or proxy is in the same domain as the site you want to login to, + you can ''try'' to send the session cookie obtained from the target site on to the client, + setting it at the domain level. + This may or may not work, depending on the configuration of the target server, and of other servers in the domain. + [[BR]] + If you don't know what all that stuff means, you shouldn't implement + this kind of security sensitive application in the first place. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
