Syntactic Confectionery Delight | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
no, this is really not any more secure than http authentication (not that that's saying much). if Eve is watching the transactions, all she has to do is take the random string out of the page that you send and send it back to you with some bogus data. she just has to do it before the legitimate user hits submit. yes, you prevent her from learning the user's password and using at a later date but that's about it. (although if she can sniff the connection, she could probably just grab it at an earlier stage when you first authenticate so it doesn't matter much) encrypting the random string won't make any difference. a good encryption algorithm will effectively just turn one random string into another random string. if you are worried about sniffing, stick with SSL. In reply to Re: Secure State Maintenance
by thraxil
|
|