XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[Home] [By Thread] [By Date] [Recent Entries] 

Rich Salz scripsit:

> HTTP auth requires SSL for all connections or else passwords can be 
> stolen -- do you include that in your "setup in 5 minutes" overhead? 
> With cookies, you only need SSL on the login page if you make the cookie 
> be an opaque ID into server state that has a time-out.  In general, 
> login cookies are more secure with less overhead.

What is to prevent replay attacks in the cookie scenario you describe?
A timeout only prevents *delayed* replay attacks.

-- 
They do not preach                              John Cowan
  that their God will rouse them                jcowan@r...
    A little before the nuts work loose.        http://www.ccil.org/~cowan
They do not teach                               http://www.reutershealth.com
  that His Pity allows them                         --Rudyard Kipling,
    to drop their job when they damn-well choose.   "The Sons of Martha"
XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member