Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Form-Based Authentication

 
Paulo Marcio Brandi Rezende
Ranch Hand
Posts: 34
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Everywhere I see the same:

"form-based info is transmitted in the least secure way"

"data integrity in form-based authentication is very weak"

And others things like this.

But I was thinking... a lot of web sites use some kind of form-based authentication, even not upon J2EE.

Are they (the others sites) safer then J2EE's sites? If yes, how? If no, why all this chat about the form auth-method is used almost by everybody?
 
Bryan Basham
author
Ranch Hand
Posts: 199
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Paulo,

Typically, form-based authentication (login) is combined with HTTPS. So even though the password is sent "in the clear" in the request parameters, the whole HTTP request is encrypted between the client and server; therefore, the password cannot be read by a third-party in transit.

So, yes by itself form-based auth is insecure, but when combined with HTTPS it is very secure. And yes, many other web frameworks would also suffer from this issue not just JavaEE.

HTH,
Bryan
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic