[3334] in WWW Security List Archive
Re: One time passwords for htaccess
daemon@ATHENA.MIT.EDU (David W. Morris)
Tue Oct 22 18:03:46 1996
Date: Tue, 22 Oct 1996 13:17:06 -0700 (PDT)
From: "David W. Morris" <dwm@xpasc.com>
Reply-To: "David W. Morris" <dwm@xpasc.com>
To: Chil - Chihli Lu <luchihli@schiaparelli.rutgers.edu>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <9610211502.ZM27140@schiaparelli.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 21 Oct 1996, Chil - Chihli Lu wrote:
> Hi, I'm wondering if anyone out there is using the htaccess/passwd function
> with one time password schemes such as secureID and Enigma. The problem I have
> is that the passwd will change after every authentication and the browser
...
> workaround that I have is by using temp. files with names that are hashed from
> the username/passwd sent by the browser and expires the session if the file was
> not accessed in x amount of time. Does anyone have a better solution to this?
I can't comment on the specifics of your approach, but you have the
correct basic idea. You need to create a session concept on top of
HTTP which you have done. I tend to like to include the IP address in
the session relationship to make spoofing a tiny bit harder. Put the
session records (in your case the temp files) where they can't be seen
by other local users. Of course, you could impose https on top (below?)
if tight security is important. Session only Cookies may also help
track identity of sessions. You could for example alter the cookie
on each response to create a one use ticket for each subsequent
request. Of course, timeouts and other tricks should also apply.
Dave Morris
