Re(2): [JDEV] Re-using session - is it possible?

[Wing, Oliver]

> > >Or by passing on
> > >the parameters from the first login to the applet and make the applet
> > >use those parameters to log in.
> >
> > If by "parameters" you mean the <digest/>, I don't see how this could
> > work. Since each session has its own ID, used at generating the
> > digest. Or were you refering to other parameters?
>
> I must admit, this was the first thing that came into my mind, but i
> came to think about the same problem. There isn't too many ways to pass
> on the password to the applet without giving it out in plaintext (or
> some weak encoding)
>

You could make an assumption on the way 0k works to achieve it, although
there are severe flaws in the assumption;

Assumption:-
0k works by giving a sequence number in the auth iq. This number decreases
with each successful login. Therefore, you could make the assumption, if you
first login and the sequeuence is 100, the next login will ask for sequence
of 99, and therefore you could pass this to your java client as a param.

Two of the biggest flaws in that assumption:-

o Assumption that no subsequence authentication sequence occurs in-between
time period. This could be helped by computing say the next five hashes with
the sequence number, leaving the jabber client to pick the right one.
o If sequence falls to 0, next sequence number is not garuanteed to be
constant, and a new token should be issued too. This could be helped by the
web page logging in again if given such a sequence number, to force the
server to generated a new hash and therefore sequence and token.

Regards,

--
Oliver Wing