Jan Dworschak wrote:
> >
> > So the big question is: If your CGI script sees an encrypted
> > password, and it determines that it is valid, are you allowing access
> > to that user based on that info alone? If so, then you might as well
> > be using plain text passwords, because all an attacker needs to get in
> > is the encrypted password!!!
>
> so far you're right. But only the encrypted password isn't enough. On
> the Server it has to be decrypted with the right key.
> And this key is generated for each Session on the server.
> Theroetical it is possible to get the correct value, thats right. But
> it's a little bit harder. That was my intension.
>
But even send the password back to the browser only to send it on again. If
you are storing a unique key to decrypt the password in a session why not just
save some sort of 'logged' in status in that session. If you're session can be
compromised then you have problems with either approach. The whole point of
ticket based authentication is to avoid passing the username and password back
and forth across the net. The user should have some sort of identifying
session id (cookie or hidden param) which should be able to uniquely identify
them right?
Michael Peters
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.