httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Krist van Besien <krist.vanbes...@gmail.com>
Subject Re: [users@httpd] HTTPS only for login page (when apache front tomcat)
Date Thu, 22 Apr 2010 05:29:26 GMT
On Thu, Apr 22, 2010 at 6:37 AM, chamila piyasena <tchamila@gmail.com> wrote:
>
>
> actually there are some performance problems. thats why I was thinking of
> using https only for login. Yahoo still uses it, Google used it before.

The problem is that with the nature of HTTP having only the login
dialog protected by https is really rather pointless.
The HTTP protocol is "atomic". There is no such thing as a "logged in
user" or a "session" defined in the protocol. That means that whatever
is used to link a request with a particular authenticated user is send
with every request. That is why an authenticated session should be
protected by https the whole time, not just during login.

Just consider the following:
- You direct a user to a login form. He enters username and password,
gets authenticated and receives a session cookie from the server.
- This session cookie is sent with each subsequent request, so that
the requests can be associated with an authenticated user.
- Someone intercepts this cookie by eavesdropping on the line. With
this cookie this person can now impersonate the user without knowing
the user's username or password...

You must realise that whatever data a browser sends to associate a
request with an authenticated session is basically equivalent to
authentication data. That is why it should never be send in the clear.
And that is why session cookies that are obtained after logging in
over https should have the secure flag set.

It is possible that Yahoo doesn't do this, but then it is entirely
possible that Yahoo doesn't care about its users...

Krist

-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message