From: Mark Phillips <mark@mo...> - 2004-12-23 17:04:29
On Dec 23, 2004, at 8:10 AM, Geoffrey Talvola wrote:
> Frank Barknecht wrote:
>> Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote:
>> So the most secure solution is indeed to use "URL secrets", like the
>> incrementing id already proposed (which must not be guessable) or
>> random secrets (like in Funcs.uniqueId(), but they lead to uglier
>> URLs), in combination with Cookie based sessions.
>> It might be nice to add some kind of secrets to Webkit.Page or another
>> place in WW.
> The secret could be automatically placed in the path using a similar
> mechanism to the one used for path sessions. This wouldn't be hard to
> I may take a crack at it sometime in January.
I found the article "Dos and Don'ts of Client Authentication on the
Web" from MIT to be enlightening when I implemented a security model
for the XML-RPC project I built upon Webware. Here is a link to the
abstract on usenix.org:
The full text can be downloaded from that page. The Cookie Eaters page
also has this document and several others on topic.
I would be interested in links for other documents on this topic,
should anyone care to share them.
Mophilly & Associates
On the web at http://www.mophilly.com
On the phone at 619 444-9210