Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

[REBOL] Re: reading back checksum/secure

From: rebol-list2:seznam:cz at: 23-Oct-2003 11:46

Hello SunandaDH, Tuesday, October 21, 2003, 11:30:24 PM, you wrote: Sac> The other problem is that URLs pass through a host of intervening machines Sac> downstream of you and your server. So: Sac> http://www.myserver.com/mycgi.r?username=carlos&password=#{A8C40A306844B07D7B3 Sac> C733C3A9EF479ADAFAC1D} Sac> will be seen by many machines en route. To be truly safe, you'd want to make Sac> sure that Sac> password=#{A8C40A306844B07D7B3C733C3A9EF479ADAFAC1D} Sac> only works once -- on the next request it is a different checksum value. Sac> Otherwise, someone could simply spoof you by copying the value. so it can work for example like this: Client -> Server -- wants connect Server -> Client -- sends session ID (SID) Client -> Server -- sends SID, checksum/secure join SID "mypass" Server compares if (checksum/secure join SID "mypass") is correct. This is good way how to prevent sending pure passwords thru web. This is trivial scenario. You can make it more difficult as well but than be careful to stay able to connect to your app:)) -- Best regards, rebOldes -----------------[ http://oldes.multimedia.cz/ ]