httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: PUT authoring
Date Tue, 18 Jun 1996 19:53:18 GMT
On Tue, 18 Jun 1996, Rob Hartill wrote:
> > I have worked with S/Key before...
> > I think that skey has several other advantages that make it worth
> > implementing, such as onetime use tokens, etc...
> > S/Key can be configured to generate onetime passwords automagickly.
> > The catch is due to the challenge response nature of an S/Key
> > the interaction needs to happen like this:
> > 	Client asks for web page
> > 	Server asks for a user id with the authentication scheme of S/Key
> > 	Client returns user id
> > 	Server returns s/key # (challenge)
> > 	Client returns one-time password (response)
> 
> Cookies!
> 
> After the first connection, the user id can be put into a cookie so that
> a challenge is immediately possible thereafter.

No.  If you're using something like s/key to protect something, the last
thing you want to use after that is cookies.  It's sorta like putting a
piece of duct tape over the door of an unlocked safe.  

Cookies should *never* be used for authentication purposes, except in the
*weakest* of needs (such as refreshing a "preferences" setting).  They are
extremely vulnerable to man-in-the-middle and untrusted-environment hacks,
not to mention the content can be cached by proxies.  

Again... why not use digest auth?

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS


Mime
View raw message