httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: user authentication "best practices"
Date Fri, 17 Mar 2000 15:35:32 GMT

Marc Slemko wrote:
> (somewhat offtopic, but unfortunately no good forum for discussing
> such things has really evolved to a useful point)
> Is anyone aware of a document describing current best practices (from a
> security perspective) for authenticating random users on a web site?
> Things like not trusting cookies to be complete private, requiring
> extra validation (eg. password) before performing sensitive actions,
> not putting complete trust in the privacy of URLs, the issues of
> persistent and single-signon systems, etc.?
> It is just amazing how stupid so many sites are in this regards, and
> how little understanding most developers have about the issues.  While I'm
> trying to point out their stupidness to the sites that I care about
> (ie. use)... it is hard.  Damn hard.
> So if I can't find such a document to point these people to, maybe I
> better write one.  This is especially bad with the cross site scripting
> issues, but a lot of sites are doing things that are just bad anyway.

The place IMHO for this is the IETF. Talk about this has been abundant
in the past.. but nothing has come from it.

Just submitting it as an internet draft would be worth it. Just to see
people making stabs at it. And getting it through the IAB/IESG
scrutinity process towards an informational RFC would be a good sanity check.


View raw message