[Jakarta-httpclient Wiki] Update of "FrequentlyAskedApplicationDesignQuestions" by RolandWeber

[Apache Wiki <wi...@apache.org>]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jakarta-httpclient Wiki" for change notification.

The following page has been changed by RolandWeber:
http://wiki.apache.org/jakarta-httpclient/FrequentlyAskedApplicationDesignQuestions

------------------------------------------------------------------------------
  [http://www.ietf.org/rfc/rfc2246.txt RFC 2246: The TLS Protocol Version 1.0]
  
  [http://www.ietf.org/rfc/rfc3546.txt RFC 3546: Transport Layer Security (TLS) Extensions]
+ 
+ 
+ 
+ -------
+ == Server Performing Login for Client ==
+ 
+ Once in a while, somebody wants a server or proxy to perform login to a different site on behalf of the client,
+ then handing the session over to the client. Since the authentication is already performed by the server or proxy,
+ the client is not supposed to ask the user for credentials.
+ 
+ This is '''not possible'''. We mean it. It is '''not''' possible. Seriously.
+ Unless the server or proxy is in the same domain as the server to which you want to log in,
+ there is '''no way'''.
+ [[BR]]
+ If you find a way to make this work across domains, please report a security vulnerability against the browser.
+ 
+ If your server or proxy is in the same domain as the site you want to login to,
+ you can ''try'' to send the session cookie obtained from the target site on to the client,
+ setting it at the domain level.
+ This may or may not work, depending on the configuration of the target server, and of other servers in the domain.
+ [[BR]]
+ If you don't know what all that stuff means, you shouldn't implement
+ this kind of security sensitive application in the first place.
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org