|
|
|
|
|
|
by caf
5710 days ago
|
|
|
Even better: 1. During the HTTPS part of the communication, the server generates a single
random key and sends it to the client.
2. The client stores this string in local storage.
3. For every request, the client generates a HMAC over the request parameters
(including a monotonic sequence number) using the key.
Both of these schemes are still susceptible to a MITM, who can just insert a bit of javascript in any page received over HTTP, that reveals the temporary secret in local storage to anyone listening. |
|
|