Hacker News new | past | comments | ask | show | jobs | submit login

If you're writing http headers out to your apache logs on your production server, you're doing it _severely_ wrong.

edit: I'm specifically talking about http basic auth with a precomputed "Authentication: base64($username + $passwd)" header, not a GET of "/foobar?api_key=12345abcd". The latter is obvious in it's failures and is not related to http basic auth.




Obviously :-) If you're going after basic-auth-headers, you'd probably be sniffing the network.

> Authenticate once, generate a token, and use the token for auth from that point.

If that token is passed back and forth in the http url, it ends up at places where it's easy to find/intercept.

You can use a gazillion bcrypt rounds to store the password: they still send me a link to a page, including their auth-token.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: