[talk] Cyber False Login
johnweintraub at gmail.com
Thu Dec 28 03:24:08 EST 2017
unless C convinces B that it's A when in fact it's not A at all.
On Dec 28, 2017 12:17 AM, "Sujit K M" <kmsujit at gmail.com> wrote:
On Thu, Dec 28, 2017 at 10:13 AM, John Weintraub
<johnweintraub at gmail.com> wrote:
> Hi Sujit;
> I'd think that the site A or B or both have some auto-logoff feature,
> after not very long, if no activity is detected, the user is logged out.
> This could be, say three to five minutes of inactivity. I know that would
> create some vulnerability, but that's a pretty narrow window in which to
> hack a website. And for my money, I think it would be site A that would
> the auto-logoff feature, which might be as simple as a script telling
> to log out the inactive user.
Another way to look at it is since A calls B and B knows A is the One
that is authenticated.
It doesn't let Another Site C To use the authentication owned by A.
talk mailing list
talk at lists.nycbug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the talk