Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to implement secure login page

 
Ryan Day
Ranch Hand
Posts: 87
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm learning about web app security (SCWCD objectives 5.1, 5.2, 5.3). The HF book says that the data integrity for FORM-based login (using <auth-method> of FORM in the <login-config> tag of the DD) is very weak with no encryption.

So if I want to have a custom login page that is secure, does adding a <user-data-constraint><transport-guarantee> value of CONFIDENTIAL accomplish that?

Also, the BASIC authentication is said to be weak, too, so I guess I should also use <user-data-constraint><transport-guarantee>CONFIDENTIAL</ in that situation.

Why would you ever implement a login without the transport guarantee?
 
Ulf Dittmer
Rancher
Posts: 42969
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Strong or weak security are relative to what you are trying to achieve. If you're worried that your IP traffic might be sniffed, then you should use a transport guarantee. But let's say you have an intranet application, and are mainly interested to authenticate your users, then a login without encryption would be sufficient.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic