httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject Re: PUT authoring
Date Tue, 18 Jun 1996 15:07:51 GMT
> > Only the user-id is in the cookie. That's safe. 
> Huh?  So, the server sees "brian" in the cookie, and calls that
> authentication?  

no, it sees "brian" and says "ah, I need to generate a challenge for 'brian'"
and it sends the challenge. Your client then uses the challenge and the secret
password to generate a one-time password which it sends back to gain access.

If there's no cookie, the client won't identify itself during the first
connect so the server can't generate a challenge - this means we need
one more round trip. The cookie just tells the server who to generate
challenges for. These are very predictable in skey anyway so we don't 
care who sees them.

> > New one-time-passwords
> > are sent when they are asked for.. those are useless unless you can
> > intercept the request and bounce it away from the server that asked for
> > it. No smoke, mirrors or duct tape.
> I can't parse this....

skey is based on one-time password, sniffing a password is useless
if the password gets used before you can abuse it.
I was just showing that the safe door is firmly closed.

View raw message