WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Should login pages be protected by SSL?

From: <bluewizard83-de4gahsh () yahoo com>
Date: Sun, 26 Jun 2005 21:26:11 -0700 (PDT)
I wouldn't really call META redirects insecure really, depending on
what your doing.  The usage that spawned the referenced post though
indicates a possible bad design.  (Using a meta redirect to make sure a
user is on the 'secure' site.)

Using META tags depends on the browser doing what you want it to do. 
Unfortunatly what the browser actually does do is completely outside
your control.  Depending on a clients browser to do something related
to security is a very bad idea.  Whenever possible you should implement
things on server side and not depend on the the client for anything
releated to security.  Also a HTTP redirect usually is a bit more
efficient then sending a page with a META redirect or javascript
redirect.

Chris


--- Simon Zuckerbraun <szucker () sst-pr-1 com> wrote:


Saqib,

Could you explain for me what the insecurity is in REFRESH meta tags?

Many thanks,
Simon


Using REFRESH Meta tags, are very unsecure practice, for obvious
reasons. Redirects to HTTPS should always be performed using URL
REWRITEs on the server side.
Previous By Date Next
Previous By Thread Next

Current thread: