[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] HTTP AUTH BASIC monowall.

To: Brian Eaton <eaton.lists@xxxxxxxxx>
Subject: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
From: Simon Smith <simon@xxxxxxxxxxx>
Date: Fri, 17 Mar 2006 12:43:54 -0500

Brian,
    I fully agree and thanks for the references. My next step after I'd
found a good solution was going to be focusing in the session security. 
Thanks for the input/help man. I appreciate it!

Brian Eaton wrote:
> Simon Smith simon at snosoft.com wrote
>   
>> My first thought was on how to harden the
>> authentication because the basic auth didn't cut it for me. Thats what I
>> am looking for ideas for.
>>     
>
> Here are some things to start with:
>
> Client certificates.
> Kerberos.
> Two-factor authentication.
>
> Unfortunately with web applications you not only need to worry about
> the initial authentication, but how the session is maintained.  If the
> session is maintained using cookies, all the strong authentication in
> the world won't save you from having that session hijacked.
>
> - Brian
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>   


-- 
Regards, 
        Jackass


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] HTTP AUTH BASIC monowall.
  - From: Brian Eaton

Prev by Date: [Full-disclosure] [ GLSA 200603-13 ] PEAR-Auth: Potential authentication bypass
Next by Date: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
Previous by thread: [Full-disclosure] HTTP AUTH BASIC monowall.
Next by thread: [Full-disclosure] [ MDKSA-2006:055 ] - Updated gnupg packages fix signature file verification vulnerability
Index(es):
- Date
- Thread