For whatever reason, I did't get the original post and have only seen some of
the replies.
I have used a combination of schemes to obfuscate the login process to web services. The
first one is to make every page dynamic and build them using CGI (Perl, PHP, whatever)
such that each page is only used once. They're built in a temporary directory on the
server, then sent to the client. The source can change every time a page is generated
(including variable names). A daemon running on the server removes old files from the temp
directory if they have not already been removed after use.
Second, the use of MySQL, Apache, cookies, and sessions. Session data is tracked via
encrypted cookies. Sessions are controlled through the Apache-MySQL sessions interface and
every session is unique and limited by time and connection. Cookies can actually be used
to tell the server which program, script, etc. to use in order to process the data being
returned by the client.
One could also use a Java Application Server (something I'm going to be
implementing soon).
Finally, all passwords (and any other authentication data) are used for authentication and
removed from memory immediately after use.
PGA
--
Paul G. Allen
Owner, Sr. Engineer, BSIT/SE
Random Logic Consulting Services
www.randomlogic.com
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-newbie
