View Single Post
Old April 25th, 2008, 09:05 AM
planoie's Avatar
planoie planoie is offline
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts

The problem isn't so much spoofing a login, it's intercepting a login. Once I know a login, I should be able to connect with it and you'll never know that it isn't a legit login. The only way to test that is to lock down the application really tightly using some definable parameters such as user X should always be connecting from address Y. The important part is keeping the data you are passing from being picked up.

If you simply encrypt the password on the client end I could still spoof a login by intercepting the encoded value and passing that myself so it's basically pointless.

Using SSL is easy enough, and I've never used anything more than that to secure a login. If you use SSL then anything on top of that is not terribly necessary. SSL should give you ample security. If you need more security that can be provided by current technologies intended for HTTP then you probably shouldn't be doing a web app.