hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ortwin Glück <ortwin.glu...@nose.ch>
Subject Re: Issue With HttpClient Session Handling
Date Wed, 08 Dec 2004 15:24:07 GMT

Manish Moorjani wrote:
> But I don't want the pain in which all the request after login to go
> thru httpclient,
> Because there will be a lot of links in the html which point to relative
> urls and I don't want to handle them


Let's look at it from a security point of view. I will use characters 
[1] from cryptography for that reason :-)

If a Alice authenticates to Bob. Honestly, would you be either happy or 
rather concerned if Mallory could fool Bob into believing that it 
already is authenticated with Alice's identity?

I want to say, Bob has very good reason to make it very hard for Mallory 
to (ab)use the authentication token handed out to Alice.

Now, your proxy is Alice. Hotmail is Bob. And your client is Mallory.
Follows: Either you proxy *all* traffic from Mallory to Bob through 
Alice or it will not work reliably.

It's like getting money out of your bank account. You need to go to the 
bank yourself and show them your ID card. You can not however give your 
ID card to someone else and make him get the money for you.... luckily.

Ortwin Glück

[1] http://en.wikipedia.org/wiki/Characters_in_cryptography

To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org

View raw message