search

jeffreyhi1 / loginsystem-rd

Automatically exported from code.google.com/p/loginsystem-rd
0 stars 0 forks source link

Replay Attack #32

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
Failure to use SSL/TLS may allow a man-in-the-middle attack by a simple
replay of user authentication credentials.

The best protection is using SSL/TLS.  Additional protection may be
achieved by using encryption and time based one time use tokens.

In the beta implementation, the login form requires that a nonce be
returned with the authentication credentials, however this alone may not be
sufficient, especially if SSL/TLS is not used.

This can be strengthened in early implementations by retaining used nonce
tokens in a table to be checked prior to issuing a new nonce to ensure they
are not used more than once for a given user.

Original issue reported on code.google.com by rdivilb...@gmail.com on 16 Apr 2010 at 6:16

GoogleCodeExporter commented 8 years ago

Original comment by rdivilb...@gmail.com on 16 Apr 2010 at 6:26