Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

RE: Securing password between webserver & appserver.
From: Ken Schaefer <Ken () adOpenStatic com>
Date: Tue, 8 Sep 2009 13:48:41 +1000
Is this an internal application? Kerberos can be used to solve this problem for internal apps.

Alternatively, can you use client certificate based authentication?

Cheers
Ken

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Chintan Oza
Sent: Monday, 7 September 2009 2:04 PM
To: webappsec () securityfocus com
Subject: Securing password between webserver & appserver.

Dear All,

We have a web application which perform user authentication on
id+password basis.

The architecture is like this.
Browser<-HTTPS->WebServer<-->AppServer

We have a requirement where password should not be available to the WebServer (even in hashed format).

Only solution that I can think of is having an Applet performing PKI encryption on the password before submitting the 
form.

Please suggest if there are any better alternatives.

Thanks,

Chintan

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]