[3319] in WWW Security List Archive
One time passwords for htaccess
daemon@ATHENA.MIT.EDU (Chil - Chihli Lu)
Mon Oct 21 17:39:35 1996
From: "Chil - Chihli Lu" <luchihli@schiaparelli.rutgers.edu>
Date: Mon, 21 Oct 1996 15:02:12 -0400
To: www-security@nsmx
Errors-To: owner-www-security@ns2.rutgers.edu
Hi, I'm wondering if anyone out there is using the htaccess/passwd function
with one time password schemes such as secureID and Enigma. The problem I have
is that the passwd will change after every authentication and the browser
(namedly Netscape) will cache the username/passwd and just send it over again
whenever it sees the authentication block from the server. This of course is a
problem because my passwd has changed from the last access. The temporary
workaround that I have is by using temp. files with names that are hashed from
the username/passwd sent by the browser and expires the session if the file was
not accessed in x amount of time. Does anyone have a better solution to this?
tia,
-chil
