[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
Antoine Pitrou
solipsis at pitrou.net
Tue Sep 27 16:56:08 UTC 2005
Hi,
> The first interesting thing to note is that your proposed solution
> implicitly acknowleges the fact that the username/password is not
> providing access control. In your proposed solution, the use of
> username/password is irrelevant.
Well, this is the classical token-based approach. You login once, and
then some temporary secret data allows you to enter again without to
login. Note that you can also re-ask for the login/pass if the user
tries to do something really dangerous (this is what is usually done
when requesting a password change).
(by the way, I'm not talking about HTTP auth, rather session
cookie-based auth after a first authentication form or challenge)
> For example, the blog post page from the
> example above could do a GET on the URL that produces your FORM that
> contains a newly generated spend ID. The blog post page could then
> extract the spend ID from the returned FORM and use it to construct a
> new FORM, like the one it constructed in the example above.
Well, if Javascript allows the browser to fake a human being without the
user being aware of it, I think there's nothing serious we can do
against it. The only solution is to devise proper security inside
Javascript, or to devise alerts in Web browsers when such a behaviour is
detected.
Regards
Antoine.
More information about the P2p-hackers
mailing list