Is it possible to have secure authentication without using session, cookies and SSL ?
I have looked other protocols, such as SRP and Dif开发者_StackOverflow社区fie-Hellman, but in the end you have to send the proof of key over the wire, and that would be vulnerable to "Man In The Middle" attacks...
As long as there isn't some communication before the connection (privately exchange keys, so you can encrypt the message, etc.), nothing is secure without the use of SSL over the web.
Without some pre-shared information, nothing is safe from the man-in-the-middle attack. You always need some pre-shared information to be secure against man-in-the-middle. If you just want to be safe from passive eavesdropping, then pre-shared information is not needed.
The main reason why SSL works best is that you have the pre-shared security information - certificates. The web browsers are already bundled with it. For example, in Firefox look at Tools / Options / Advanced / Encryption / View certificates / Authorities, then select the certificate and click View.
You could of course have a different cryptographic protocol based on pre-shared information, so in principle it is possible without SSL. But in current practice, the only pre-shared information bundled with web browsers are SSL certificates.
For authentication only, any public-key-based cryptography could be an alternative. You can add custom HTTP request headers including a digital signature and a reference to the signer's certificate. This would be a totally proprietary approach, but it may suit your needs.
精彩评论