[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Re: Cookies at XML Europe 2004 -- Call for Participation
> What is to prevent replay attacks in the cookie scenario you describe? I'm not sure what you mean by replay attack. What packets (HTTP requests) is the adversary replaying? If the initial login form is protected by SSL, than there's nothing to steal for future replay. (If your adversary can crack SSL/TLS, it's safe to assume they're going to go after bigger fish than you might be. :) > A timeout only prevents *delayed* replay attacks. No, a timeout limits the exposure if the credentials are stolen. A cookie is essentially a session authenticator, and not the long-term identity authenticator. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|