From: Mark P. <ma...@mo...> - 2004-12-23 17:04:29
|
On Dec 23, 2004, at 8:10 AM, Geoffrey Talvola wrote: > Frank Barknecht wrote: >> Geoffrey Talvola hat gesagt: // Geoffrey Talvola wrote: >> So the most secure solution is indeed to use "URL secrets", like the >> incrementing id already proposed (which must not be guessable) or >> random secrets (like in Funcs.uniqueId(), but they lead to uglier >> URLs), in combination with Cookie based sessions. >> >> It might be nice to add some kind of secrets to Webkit.Page or another >> place in WW. > > The secret could be automatically placed in the path using a similar > mechanism to the one used for path sessions. This wouldn't be hard to > add. > I may take a crack at it sometime in January. Geoff, I found the article "Dos and Don'ts of Client Authentication on the Web" from MIT to be enlightening when I implemented a security model for the XML-RPC project I built upon Webware. Here is a link to the abstract on usenix.org: http://www.usenix.org/publications/library/proceedings/sec01/fu.html The full text can be downloaded from that page. The Cookie Eaters page also has this document and several others on topic. http://cookies.lcs.mit.edu/ I would be interested in links for other documents on this topic, should anyone care to share them. hth, Mark Phillips Mophilly & Associates On the web at http://www.mophilly.com On the phone at 619 444-9210 |
From: Mark P. <ma...@mo...> - 2004-12-23 17:18:03
|
oops. sent this to the wrong list... Sorry about that. - Mark |