in reply to Re: SOAP::Lite - securest authentication route...
in thread SOAP::Lite - securest authentication route...

While I agree with the rest of your post, I want to comment on your last point:

One should never assume the clients are secure. Always (if at all possible) treat clients with utmost suspicion, and that means not trusting any data you get from the clients unless it checks with the stuff you know. Taint checking all the input should go without saying.

Assuming the client is out to get you not only protects you from clients that have been taken over by black hats, but also from bugs in the client...

  • Comment on Re: Re: SOAP::Lite - securest authentication route...

Replies are listed 'Best First'.
Re: Re: Re: SOAP::Lite - securest authentication route...
by sgifford (Prior) on Apr 20, 2004 at 15:18 UTC

    I agree that the script should never assume the client is secure, as an essential component of a security-in-depth strategy.

    However, a secure client really is necessary for making sure only authorized users use the script. A compromised computer may be under an unauthorized user's control, but have a permitted IP address and access to the password or the SSL certificate.

[reply]

In Section Seekers of Perl Wisdom