[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] IP address change: relogin
- From: Bil Corry <bil@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] IP address change: relogin
- Date: Fri, 23 May 2008 18:17:34 -0500
Stephan Wehner wrote on 5/22/2008 2:20 PM:
On Wed, May 21, 2008 at 8:27 PM, Bil Corry <bil@xxxxxxxxx> wrote:
One final method that I've contemplated, but haven't had time to build a
PoC, is to use HTTP Digest Authentication and use XHR to passively
"authenticate" the user with the username being their session ID, and the
password a random value. Then using Digest's nonce, you can prevent replay
attacks, etc. The downside is you have to initially seed the browser with...
Similar to this one?
http://www.peej.co.uk/articles/http-auth-with-html-forms.html
Yes, the code I use is below; it uses jQuery for the XHR request.
- Bil
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd";>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Passive Login Demo</title>
<script src="http://jqueryjs.googlecode.com/files/jquery-1.2.3.min.js"; type="text/javascript"></script>
<script language="JavaScript" type="text/javascript">
$(function(){
$.ajax({
url: "passwordCheck.lasso",
cache: false,
async: false,
username: "myusername",
password: "mypassword",
success: function(html){
window.location="loggedin.lasso";
},
error: function(html){
alert("Sorry, unable to log you in.");
return false;
}
});
});
</script>
</head>
<body style="background: white;">
<h1>Please wait...</h1>
You are being authenticated. Please turn on JavaScript if you see this message for longer than 30 seconds.
</body>
</html>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|