Re: Re: Cookies at XML Europe 2004 -- Call for Particip ati
I know about digest-auth. Yes, it sends a hash (not encrypted password) rather than the plaintext. But it sends it every time which they admit isn't terribly secure, it is subject to dictionary attacks (with new data every time the nonce expires), and it uses the deprecated MD-5 as opposed to SHA-1. It also doesn't *seem* (in my quick test) to be supported by IE, which knocks out a large part of the net. (Always a tip-off when folks use the phrase "supported by modern browsers," I've done it myself.:) Good security requires state. Bad security leaves your login passwords lying around. Using a cookie to maintain a timed-out login session seems the best way to do good and avoid bad. And since I don't believe that RFC 2109 violates web architecture, we'll just have to agree to disagree. Happy new year. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format