WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: "Ernest Nelson" <juridian () juridian com>
Date: Mon, 27 Jun 2005 12:22:30 -0700
I generally stick in some server side code that checks for the use of ssl on pages that need it. One library function applied to all pages that need it can force the use of ssl on all of those pages...no worries about people messing with client side tags or code. -----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Monday, June 27, 2005 9:38 AM To: Michael Tsentsarevsky Cc: webappsec () securityfocus com Subject: Re: Should login pages be protected by SSL?
Could you explain for me what the insecurity is in REFRESH meta tags?
I have nothing against META REFRESH :) . It is just that using them for redirecting the users from http:// to https:// is a bad bad design. The Meta referesh tag can be intercepted, or stopped completely. Plus, the execution of the META tags depends on the browser, and not the server. You would have to make sure that you put REFERESH on all the web pages for something that can be easily done using one URL rewrite statement on the webserver. -- In Peace, Saqib Ali http://www.xml-dev.com/
Current thread:
- RE: Should login pages be protected by SSL?, (continued)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 25)
- RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
- Re: Should login pages be protected by SSL? warnings (Jun 28)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 27)
- RE: Should login pages be protected by SSL? Ernest Nelson (Jun 27)
- Re: Should login pages be protected by SSL? Lucas Holt (Jun 30)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 30)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 25)