undefined | Better HN

0 pointstoong11y ago0 comments

Exactly this.

I see that token used - sometimes in the http request header - but most of the time as a param in the GET request, over plain http.

Does it even matter if my auth was secure ? I just need to get hold of some access logs and I can impersonate everyone ?

0 comments

3 comments · 2 top-level

uxp11y ago· 1 in thread

If you're writing http headers out to your apache logs on your production server, you're doing it _severely_ wrong.

edit: I'm specifically talking about http basic auth with a precomputed "Authentication: base64($username + $passwd)" header, not a GET of "/foobar?api_key=12345abcd". The latter is obvious in it's failures and is not related to http basic auth.

toongOP11y ago

Obviously :-) If you're going after basic-auth-headers, you'd probably be sniffing the network.

> Authenticate once, generate a token, and use the token for auth from that point.

If that token is passed back and forth in the http url, it ends up at places where it's easy to find/intercept.

You can use a gazillion bcrypt rounds to store the password: they still send me a link to a page, including their auth-token.

toongOP11y ago

Edit: My intention was to get some input on how to properly use auth-tokens.

j / k navigate · click thread line to collapse