[7752] in bugtraq
Re: Webmail.bellsouth.net security problems
daemon@ATHENA.MIT.EDU (Edward S. Marshall)
Wed Aug 26 12:45:47 1998
Date: Tue, 25 Aug 1998 21:19:55 -0500
Reply-To: "Edward S. Marshall" <emarshal@LOGIC.NET>
From: "Edward S. Marshall" <emarshal@LOGIC.NET>
X-To: Marc Slemko <marcs@ZNEP.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.GSO.4.02A.9808251635300.9812-100000@redfish>
On Tue, 25 Aug 1998, Marc Slemko wrote:
> This is one of the situations where cookies are actually one of the better
> solutions. HTTP authentication is even better, but many people dislike it
> because they can't control the login prompt and due to how it can be
> cached by the client.
Another solution is to supply this data via POST instead of in the URL.
While it has an impact on design (everything has to be submitted via
buttons instead of just clicking links), it avoids any data being sent in
the URL. Do this with SSL, and the data should never be cached by an
intermediate machine.
SSL is a must with this type of thing anyway; the whole caching issue
becomes moot that way, along with a number of other security concerns.
--
-------------------. emarshal at logic.net .---------------------------------
Edward S. Marshall `-----------------------' http://www.logic.net/~emarshal/
