httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <hart...@ooo.lanl.gov>
Subject Re: PUT authoring
Date Tue, 18 Jun 1996 13:58:04 GMT
 
> > Cookies!
> > 
> > After the first connection, the user id can be put into a cookie so that
> > a challenge is immediately possible thereafter.
> 
> No.  If you're using something like s/key to protect something, the last
> thing you want to use after that is cookies.  It's sorta like putting a
> piece of duct tape over the door of an unlocked safe.  

Only the user-id is in the cookie. That's safe. New one-time-passwords
are sent when they are asked for.. those are useless unless you can
intercept the request and bounce it away from the server that asked for
it. No smoke, mirrors or duct tape.


Mime
View raw message