|
Posted by Colin McKinnon on 01/03/07 00:21
Ric wrote:
> Anze schrieb:
>> What is more: I think there is no way to store data on client computer
>> and transmit it on challenge / response mechanism.
>
> Exactly
AFAIK any data stored in a format accessible to javascript (i.e. in a
cookie) will be sent over the internet in the request for the page which
contains the javascript. Until you can dissociate these, a challenge
response mechanism will be invalid. Mozilla based browser used to allow you
to have limited local I/O from signed scripts - but its not a very
practical solution.
>
>>
>> Am I right?
>>
>>
>> I thought I might have a solution to this, but when trying to implement
>> it I figured out that JS can't access SSL-only cookies. :(
>
> That would be really bad:-)
Are you sure? I think you are confusing the HTTPOnly attribute with the
secure attribute.
>>
>> Any thoughts on how to implement secure "remember me" without SSL would
>> be appreciated. Even "it can't be done" would be helpful... :)
>>
>
> It can't be done in a completely secure way.
Yes it can (without SSL). There are pure javascript implementations of RSA
(asymmetric encryption) but I suspect you'd need to keep changing the
encrpytion key to prevent replay attacks. Its not worth busting the grey
cells when SSL should just work.
Just use SSL.
C.
Navigation:
[Reply to this message]
|