RE: [Rainbowportal-devel] Future stuff
Brought to you by:
danijel_kecman,
manudea
From: Plowman, M. <MPl...@bc...> - 2004-09-20 14:40:11
|
securing web-services without SSL against someone with a packet sniffer is not possible (someone correct me here?) as all information is sent in clear text. Using SSL, one of the most efficient methods is to have a login function protected by SSL which then provides a session id that is valid for 30 minutes. Every admin function call made passes this session id rather than the admin login credentials and authentication is made against the session id. This means that admin functions can run outside of SSL which will make them faster (SSL has a fairly high overhead) and if a packet sniffer gets hold of a valid session id, it will only be valid for 30 minutes. If the session id has expired, the WinForm can be prompted to login interactively again in a way that is transparent to the user... I hope I'm wrong here, but I havn't yet found a way of securing web-services without using SSL at some point. Cheers, Mark > -----Original Message----- > From: manu [mailto:ma...@du...] > Sent: 20 September 2004 15:20 > To: rai...@li... > Subject: RE: [Rainbowportal-devel] Future stuff > > > I think an win form or remote management interface will run > on top of web > services. > So the question is: how much effort is needed to expose admin > modules as > webservices and how can we secure it without no special > install on server > (like SSL server side)? *************************************************************************** This message is intended only for the addressee(s) and may be confidential. Access to this email by anyone else is unauthorised. Any opinions expressed in this email do not necessarily reflect the opinions of BCA. Any unauthorised disclosure, use or dissemination, either in whole or in part is prohibited. If you are not the intended recipient of this message please notify the sender immediately. BCA, Greater London House, Hampstead Road, London. NW1 7TZ. Tel: 020 7760 6500. This message has been checked for all known viruses by the MessageLabs Virus Scanning Service. *************************************************************************** |