On Thu, Apr 22, 2010 at 6:37 AM, chamila piyasena <tchamila@xxxxxxxxx> wrote: > > > actually there are some performance problems. thats why I was thinking of > using https only for login. Yahoo still uses it, Google used it before. The problem is that with the nature of HTTP having only the login dialog protected by https is really rather pointless. The HTTP protocol is "atomic". There is no such thing as a "logged in user" or a "session" defined in the protocol. That means that whatever is used to link a request with a particular authenticated user is send with every request. That is why an authenticated session should be protected by https the whole time, not just during login. Just consider the following: - You direct a user to a login form. He enters username and password, gets authenticated and receives a session cookie from the server. - This session cookie is sent with each subsequent request, so that the requests can be associated with an authenticated user. - Someone intercepts this cookie by eavesdropping on the line. With this cookie this person can now impersonate the user without knowing the user's username or password... You must realise that whatever data a browser sends to associate a request with an authenticated session is basically equivalent to authentication data. That is why it should never be send in the clear. And that is why session cookies that are obtained after logging in over https should have the secure flag set. It is possible that Yahoo doesn't do this, but then it is entirely possible that Yahoo doesn't care about its users... Krist -- krist.vanbesien@xxxxxxxxx krist@xxxxxxxxxxxxx Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|