hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Jakarta-httpclient Wiki] Update of "FrequentlyAskedApplicationDesignQuestions" by RolandWeber
Date Fri, 04 May 2007 17:50:27 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jakarta-httpclient Wiki" for change

The following page has been changed by RolandWeber:

  [http://www.ietf.org/rfc/rfc2246.txt RFC 2246: The TLS Protocol Version 1.0]
  [http://www.ietf.org/rfc/rfc3546.txt RFC 3546: Transport Layer Security (TLS) Extensions]
+ -------
+ == Server Performing Login for Client ==
+ Once in a while, somebody wants a server or proxy to perform login to a different site on
behalf of the client,
+ then handing the session over to the client. Since the authentication is already performed
by the server or proxy,
+ the client is not supposed to ask the user for credentials.
+ This is '''not possible'''. We mean it. It is '''not''' possible. Seriously.
+ Unless the server or proxy is in the same domain as the server to which you want to log
+ there is '''no way'''.
+ [[BR]]
+ If you find a way to make this work across domains, please report a security vulnerability
against the browser.
+ If your server or proxy is in the same domain as the site you want to login to,
+ you can ''try'' to send the session cookie obtained from the target site on to the client,
+ setting it at the domain level.
+ This may or may not work, depending on the configuration of the target server, and of other
servers in the domain.
+ [[BR]]
+ If you don't know what all that stuff means, you shouldn't implement
+ this kind of security sensitive application in the first place.

To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org

View raw message