* John_Leitchat_private (John_Leitchat_private) [020530 12:55]: > Hi, > > Thanks for that but the ever changing realm is as follows..... > > When a connection is established to the server and you are presented with a > login prompt the realm is different everytime. Its almost like the server > has / is using /dev/random to assign the realm so its never the same. > I'm not exactly sure how this would work, as a browser must have a Realm/uid/password trio to successfully authenticate against a server. If the Realm constantly changes, every authenticated gif, page, or button would request a new uid/password for the new realm. This would make the website a hassle to use. More information on this would be useful, as this sounds definitely more dynamic that is reasonably possible. If each page were only text and no images, this could work, although it would make normal browsing impossibly tedious. If each transaction only requests a .doc or a .pdf, or something similarly self-contained, the changing Realm won't affect you much, unless you assume that each user has a new uid/password string for each realm. If each user doesn't have a unique uid/password for each realm, then there must be some uid/password pairs similar to each realm, and therein lies your possible brute-force possibility. Thanks, JJ -- J. J. Horner Web Server Security Professional jhornerat_private
This archive was generated by hypermail 2b30 : Thu May 30 2002 - 13:28:21 PDT