[OWASP-GUIDE] Session Management
Chris Shiflett
chris at shiflett.org
Thu Mar 4 21:11:17 EST 2004
--- Adrian Wiesmann <awiesmann at swordlord.org> wrote:
> - It should be explicitly said that the client needs to be
> re-authenticated with every new request.
I haven't read this document yet, so my interpretation of this suggestion
might be out of context. However, this strikes me as being potentially
incorrect and dangerous information.
In my opinion, the client should only be authenticated once. Thereafter,
the client only needs to be identified. This is the fundamental theory of
state management. Of course, secure identification can be challenging.
Suggesting that the client be authenticated for every single request will
lead people to expose authentication credentials (over the Internet) more
than necessary. This is an unnecessary risk, and I would identify this as
a potential problem in any security audit that I performed.
Again, if I completely misinterpreted this suggestion, then you can safely
ignore this message. I'm also happy to discuss further, and I can
elaborate on my reasoning.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming mid-2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
More information about the Owasp-guide
mailing list