- HTTP basic authentication
- Form-based login authentication
- Client certificate authentication
- Mutual authentication
- Digest authentication
We will focus more on Form-based login authentication. I will show u in a while how this is related to our captcha structure.
With form-based authentication, the following things occur:
- A client requests access to a protected resource.
- If the client is unauthenticated, the server redirects the client to a login page.
- The client submits the login form to the server.
- If the login succeeds, the server redirects the client to the resource. If the login fails, the client is redirected to an error page and prompt user to try again.
In reference to our captcha structure, the username refers to the Session ID. Each connection to the server established a unique SessionID. Password is the captcha String. The captcha String will be generated using a Time SEED. The SessionID and its associated captcha String is stored in a Cache in a HashMap. Upon authentication, successful or failed, the session will be forced invalidated, and the record is removed from the cache.
Form-based authentication is not particularly secure. Why? In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated. This form of authentication can expose your user names and passwords. If someone can intercept the transmission, the user name and password information can easily be decoded. However all these can be solved by securing all connections are over SSL.
No comments:
Post a Comment