[Typo3-dev] BE Login through URL?
Martin T. Kutschker
Martin.no5pam.Kutschker at blackbox.n0spam.net
Thu May 27 11:02:52 CEST 2004
Mathias Schreiber [K1net] wrote:
> Martin T. Kutschker wrote:
>
>>And have your clear text password sent over the wire. Only to be
>>sniffed and logged in proxy/server logs.
>
> He asked if it was possible.
> It is.
> we all know this is insecure.
What could be done and is a bit more secure is deriving a BE session
from a FE session. If you couple FE and BE users somehow than the BE
login could be modified to create a session if it encouters a valid FE
session.
But to proctect the BE account I advise either to use encrypted FE
passwords (with hashes over the wire like it's done for the BE) or use
https.
Masi
PS: Can anybody explain the BE challenge mechanism? If fail to get the
part where the challenge is created and stored on server side for later
comparison. They way I read the code the challenge is sent via a cookie
and no copy stays on the server. Which essentially would allow tanpering
with the challenge. What am I missing here.
More information about the TYPO3-dev
mailing list