httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <mearn...@gmail.com>
Subject Re: [users@httpd] IP-address spoofing a concern?
Date Tue, 27 Jan 2009 22:12:24 GMT
>> Like I said, it's not clear to me how this [HTTP Digest Authentication] would solve
my [Session Hijacking] problem. Can
>> you elaborate a little?

Wow, well thanks both of you for the great information. I didn't
realize that a new nonce was generated for each request, so I didn't
see how it was any different than a regular session id, but this
really is just like having the user reauthenticate for every request,
but without bugging them.

As you both pointed out, man in the middle attacks are still a
problem...kind of a real bummer apache doesn't have auth-int yet, but
it looks like this might be feasible with a server-side script.

Thanks again for all the advice.

-Brian

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://pgp.mit.edu/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message