|
|
Posted by Ric on 01/03/07 00:58
Colin McKinnon schrieb:
> Ric wrote:
>
>> Anze schrieb:
>>> What is more: I think there is no way to store data on client computer
>>> and transmit it on challenge / response mechanism.
>> Exactly
>
> AFAIK any data stored in a format accessible to javascript (i.e. in a
> cookie) will be sent over the internet in the request for the page which
> contains the javascript. Until you can dissociate these, a challenge
> response mechanism will be invalid. Mozilla based browser used to allow you
> to have limited local I/O from signed scripts - but its not a very
> practical solution.
>
>>> Am I right?
>>>
>>>
>>> I thought I might have a solution to this, but when trying to implement
>>> it I figured out that JS can't access SSL-only cookies. :(
>> That would be really bad:-)
>
> Are you sure? I think you are confusing the HTTPOnly attribute with the
> secure attribute.
No I guess I ddin't make myself clear, it would be really bad if js
couldn't access these cookies on the clients computer because then a
cookie would be useless.
>
>>> Any thoughts on how to implement secure "remember me" without SSL would
>>> be appreciated. Even "it can't be done" would be helpful... :)
>>>
>> It can't be done in a completely secure way.
>
> Yes it can (without SSL). There are pure javascript implementations of RSA
> (asymmetric encryption) but I suspect you'd need to keep changing the
> encrpytion key to prevent replay attacks. Its not worth busting the grey
> cells when SSL should just work.
>
Ok I can follow your thoughts, but you probably forgot, that he wanted
to store a persistent cookie, so when the user comes back the next day
he doesn't have to login. If you consider that then a cookie can also be
stolen if someone has access to his computer, for example through a
local account, or through some trojan etc. One of the classics is,
lloking at edonkey, kazza etc. for cookies, some users are dumb enough
to also share their home drive:-)
In this case it doesn't help to encrypt the cookies content, because if
he has the cookie then there is no need for him to decrypt it:-)
> Just use SSL.
>
> C.
Navigation:
[Reply to this message]
|