- From: Timothy D. Morgan <tmorgan@vsecurity.com>
- Date: Thu, 25 Feb 2010 08:00:37 -0800
Hello, As a follow up to my paper advocating HTTP authentication over cookies [1], I've built a simple sample application which demonstrates how a combination of XMLHttpRequest and response code tricks can be used to achieve form-based login, logout, and authenticated password changes in the four most popular browsers: http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip Note that this is achieved without using any checks to determine what browser is being used. While this is promising, I still think we should have an HTTP-based log out mechanism. In addition, the proposed W3C change to XMLHttpRequest authentication behavior will make this code much simpler. cheers, tim 1. http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
Received on Thursday, 25 February 2010 08:00:37 UTC