Cant the same be done to allow users to login only through HTTPS, or if
they are on HTTP, user can be redirected to an HTTPS. SO, the script will
only work when the user is over a secured HTTP.
On 22 February 2012 01:24, Roan Kattouw <roan.kattouw(a)gmail.com> wrote:
On Mon, Feb 13, 2012 at 5:28 PM, Daniel Friesen
The idea that login is secure because it's on
a separate page than the
of the site is actually an old mistake.
If a script is included ANYWHERE on the site on the same domain then it's
possible to inject in some code that will fake pageviews in a way that
let an attacker have a running script when the
user follows the login
to the login page.
So there isn't really any security advantage of a separate login page
an ajax login. (well ;) unless you're using
the separate login page
you have js disabled, then you're safe, heh)
Basically what the issue was is that if you're on an unencrypted HTTP
pageview, you cannot trust the login form that gets AJAXed in, even if
it submits to HTTPS. If the login form is transferred over HTTP (or
the script that loads the login form is transferred over HTTP, or if
*anything* comes on HTTP), it's not secure.
Wikitech-l mailing list
<mr.shivansh.srivastava(a)gmail.com>Secretaryretary, BITS Alumni Affairs Division
| Web Expert, Newsletter, BITSAA International
3rd Year Undergraduate | B.E. (Hons.) - Electronics & Instrumentation