[REBOL] Re: reading back checksum/secure
From: rebol-list2:seznam:cz at: 23-Oct-2003 11:46
Hello SunandaDH,
Tuesday, October 21, 2003, 11:30:24 PM, you wrote:
Sac> The other problem is that URLs pass through a host of intervening machines
Sac> downstream of you and your server. So:
Sac> http://www.myserver.com/mycgi.r?username=carlos&password=#{A8C40A306844B07D7B3
Sac> C733C3A9EF479ADAFAC1D}
Sac> will be seen by many machines en route. To be truly safe, you'd want to make
Sac> sure that
Sac> password=#{A8C40A306844B07D7B3C733C3A9EF479ADAFAC1D}
Sac> only works once -- on the next request it is a different checksum value.
Sac> Otherwise, someone could simply spoof you by copying the value.
so it can work for example like this:
Client -> Server -- wants connect
Server -> Client -- sends session ID (SID)
Client -> Server -- sends SID, checksum/secure join SID "mypass"
Server compares if (checksum/secure join SID "mypass") is correct.
This is good way how to prevent sending pure passwords thru web. This is
trivial scenario. You can make it more difficult as well but than be
careful to stay able to connect to your app:))
--
Best regards,
rebOldes -----------------[ http://oldes.multimedia.cz/ ]