WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: <bluewizard83-de4gahsh () yahoo com>
Date: Sun, 26 Jun 2005 21:26:11 -0700 (PDT)
I wouldn't really call META redirects insecure really, depending on what your doing. The usage that spawned the referenced post though indicates a possible bad design. (Using a meta redirect to make sure a user is on the 'secure' site.) Using META tags depends on the browser doing what you want it to do. Unfortunatly what the browser actually does do is completely outside your control. Depending on a clients browser to do something related to security is a very bad idea. Whenever possible you should implement things on server side and not depend on the the client for anything releated to security. Also a HTTP redirect usually is a bit more efficient then sending a page with a META redirect or javascript redirect. Chris --- Simon Zuckerbraun <szucker () sst-pr-1 com> wrote:
Saqib, Could you explain for me what the insecurity is in REFRESH meta tags? Many thanks, SimonUsing REFRESH Meta tags, are very unsecure practice, for obvious reasons. Redirects to HTTPS should always be performed using URL REWRITEs on the server side.
Current thread:
- RE: Should login pages be protected by SSL?, (continued)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 22)
- Re: Should login pages be protected by SSL? Bob Radvanovsky (Jun 22)
- Re: Should login pages be protected by SSL? James Barkley (Jun 23)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 23)
- Re: Should login pages be protected by SSL? Eoin Keary (Jun 24)
- RE: Should login pages be protected by SSL? Levenglick, Jeff (Jun 23)
- RE: Should login pages be protected by SSL? Flanagan, Kevin (Jun 23)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 25)
- RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
- Re: Should login pages be protected by SSL? warnings (Jun 28)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 27)
- RE: Should login pages be protected by SSL? Ernest Nelson (Jun 27)
- Re: Should login pages be protected by SSL? Lucas Holt (Jun 30)