Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Re: Cookies at XML Europe 2004 -- Call for Participation
 > If > somebody's trying to brute force guess passwords by logging in > repeatedly, that's pretty much the same issue with either cookies or > digest authentication. No. If I can get the plaintext request and response to a HTTP digest-auth message, than I can do my attack completely offline without involving the server at all. That is a *huge* difference compared to repeatedly trying to log in (i.e., guess the password). And remember, what's then been broken is the clients login password, not a finite-lifetime session key. Given the recent messages and links about digest, I think we have to admit that it's a non-interoperable mechanism that's only slightly better than basic-auth and it's client-side management facilities and end-user knowledge is worse than cookies. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
