General information
Category:
Coding, syntax & commands
Environment versions
OS:
Windows Server 2012 R2
Network:
Windows Server 2012 R2
Virtual environment:
VMWare
Thanks Marco. That clears up my questions.
Albert
>Hi Albert,
>
>*** I assume the "DB" in the next line is the server side database, correct?
>yes, the server ( web service ) receives this and saves only the user & password hash
>
>*** what gets returned to the client at this point? or is there something returned?
>only a operation status.. a simple "http 200 ok" with operation succed or password changed if all went ok.
>
>
>*** is there anything passed above that a man in the middle attack could grab and impersonate the client?
>
>the above procedure only covers the initial authentication process, and prevents the user password from traveling or being "saved as is" on the server. There's the improved digest authentication , wich enforces a sequence control , short expiration and signing of all the http messages with a similar procedure , but it only makes it harder to hack the conversation. Only TLS can protect against man in the middle attacks.
Previous
Reply
View the map of this thread
View the map of this thread starting from this message only
View all messages of this thread
View all messages of this thread starting from this message only