Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: Securing password between webserver & appserver.
From: Till Elsner <Till.Elsner () uni-duesseldorf de>
Date: Wed, 09 Sep 2009 01:58:18 +0200
What about securing (i.e. encrypting) the connection between web server and app server itself, like connecting to the app server from the web server via a SSH-forwarded local port? You could keep the original authentication method and have the entire communication encrypted anyway. 

Greetings
Till

Am 07.09.2009 um 08:04 schrieb Chintan Oza:


Dear All,

We have a web application which perform user authentication on
id+password basis.

The architecture is like this.
Browser<-HTTPS->WebServer<-->AppServer

We have a requirement where password should not be available to the
WebServer (even in hashed format).

Only solution that I can think of is having an Applet performing PKI
encryption on the password before submitting the form.

Please suggest if there are any better alternatives.

Thanks,

Chintan

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]