How NOT to do Web Security

12:13 PM j. montgomery 2 Comments

This is a great post on how NOT to do client authentication:

http://www.thedailywtf.com/forums/65974/ShowPost.aspx

2 comments:

  1. That was a fine little article! Rather humorous how management "solved" the problem.

    I'm scratching my (less technical) head wondering, "How do you manage sessions w/o cookies or JS?" Got any thoughts?

    ReplyDelete
  2. Most Web App languages support this - basically they use URL re-writing. When the app server generates the HTML links in the html pages all links and forms on the site are generated with the session ID in the URL somewhere.

    ReplyDelete