• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Head First mock exam question 9 in chp 12 security

 
Himai Minh
Ranch Hand
Posts: 1361
7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
On p.699 of Head First

Which authentication mechanism is recommended to be used only if cookies or SSL session tracking is in place?
A. Http Basic Authentication
B. Form base authentication
C. Http Digest authentication
D Https Client authentication


According to these previous posts:
http://www.coderanch.com/t/510521/java-Web-Component-OCEJWCD/certification/FORM-based-authentication
http://www.coderanch.com/t/177720/java-Web-Component-OCEJWCD/certification/Form-based-authentication

When session tracking or cookies is used, the user can be recognized in subsequent requests after the user login with the form.
But how about other authentications options in A, C ,D ? Should we use cookies/session tracking for them , so that users will be authenticated first and won't be authenticated
again in subsequent requests?
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2533
113
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This question is testing this small part in the specs that says:
13.6.3.1 Login Form Notes
Form based login and URL based session tracking can be problematic to implement. Form based login should be used only when sessions are being maintained by cookies or by SSL session information.

In other words, from the 3 mentioned session tracking mechanisms:
  • URL rewriting
  • Cookies
  • SSL session information
  • don't rely on the idea that URL rewriting will work in combination with Form based authentication. It might work, it might not work, so you better use in only in an environment where you have the possibility of Cookies and/or SSL session information.

    Note that this warning is only mentioned in the specs for this particulair combination.
     
    Himai Minh
    Ranch Hand
    Posts: 1361
    7
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Hi, Frits. Thanks for your explanation.
    Can we still use basic, client and digest authentication when cookies are enable or SSL session tracking is turned on?
    I think we can.
     
    Frits Walraven
    Creator of Enthuware JWS+ V6
    Saloon Keeper
    Pie
    Posts: 2533
    113
    Android Chrome Eclipse IDE
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Yes, you can.
     
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic