f



Multipart questions

I've used sites, for example, a bank's where you login with your username a=
nd password, and then it asks you "security questions" - like, your favouri=
te colour, whatever, etc. etc. How is this sort of thing coded? The securit=
y questions appear without a refresh, mind you, ie. on the same page - so a=
fter the name+pwd authentication is done, does *client side Javascript* set=
 some sort of cookie? If, after entering your username and password, the se=
curity quesions appear, and you refresh the page - what happens exactly? Th=
e authentication will happen again, and *another* cookie will be set..... -=
 how does the system protect against that?
0
bit
12/1/2016 5:50:10 PM
comp.lang.php 32646 articles. 0 followers. Post Follow

13 Replies
218 Views

Similar Articles

[PageSpeed] 17

bit-naughty@hotmail.com wrote:
> I've used sites, for example, a bank's where you login with your username and password, and then it asks you "security questions" - like, your favourite colour, whatever, etc. etc. How is this sort of thing coded? The security questions appear without a refresh, mind you, ie. on the same page - so after the name+pwd authentication is done, does *client side Javascript* set some sort of cookie? If, after entering your username and password, the security quesions appear, and you refresh the page - what happens exactly? The authentication will happen again, and *another* cookie will be set..... - how does the system protect against that?

Sounds to me like it uses XHR in order to request your security question
from the server after you have entered your login credentials.

XHR is often used with AJAX in order to update pages with new information
from the server without having to reload the page.

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest
and
https://developer.mozilla.org/en-US/docs/AJAX
can provide you with more information about this.
0
Cybercode
12/1/2016 6:36:31 PM
On 12/01/2016 06:50 PM, bit-naughty@hotmail.com wrote:
> I've used sites, for example, a bank's where you login with your username and password, 
> and then it asks you "security questions" - like, your favourite colour, whatever, etc. etc.
> How is this sort of thing coded? The security questions appear without a refresh, mind you,
> ie. on the same page - so after the name+pwd authentication is done, does *client side 
> Javascript* set some sort of cookie?

The login will be done over ajax call as Cybercode mentioned, if the
username/password matches, the server will send the security question as
a response in the earlier mentioned ajax call.

The client side is untrusted, so the cookie has already been set when
you enter the login page (before you enter your username/password), the
session data on the server side will be updated if a successful login.


> If, after entering your username and password,
> the security quesions appear, and you refresh the page - what happens exactly?

Much depends on how it's designed, if badly then you will be asked for
username/password again, if done properly you will be asked for the
security question.

A side note, those security questions are a false sense of security, if
you want security you go for 2 factor authentication.


> The authentication will happen again, and *another* cookie will be set.....
> - how does the system protect against that?

You don't have to set a new session cookie, you can keep on using the
one you had in the first place, but you may change it to make it a bit
more difficult to steal the session cookie and use it to access the
system. There are a lot to read about this at OWASP, see
https://www.owasp.org/index.php/Main_Page

-- 

 //Aho
0
J
12/1/2016 7:03:59 PM
Cybercode wrote:

> bit-naughty@hotmail.com wrote:
>> I've used sites, for example, a bank's where you login with your username 
>> and password, and then it asks you "security questions" - like, your
>> favourite colour, whatever, etc. etc. How is this sort of thing coded?
>> The security questions appear without a refresh, mind you, ie. on the
>> same page - so after the name+pwd authentication is done, does *client
>> side Javascript* set some sort of cookie? If, after entering your
>> username and password, the security quesions appear, and you refresh the
>> page - what happens exactly? The authentication will happen again, and
>> *another* cookie will be set..... - how does the system protect against
>> that?
> 
> Sounds to me like it uses XHR in order to request your security question
> from the server after you have entered your login credentials.

Not necessarily.  In fact, it is more likely that it happens in an iframe.  
Bank sites, for example, are not usually based on XHR.
 
> XHR is often used with AJAX in order to update pages with new information
> from the server without having to reload the page.

XMLHTTPRequest (XHR) is the *proper* term for that technology; AJAX 
(Asynchronous JavaScript and XML) is the historic marketing buzzword,
in common cases a *misnomer*.
 
> https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest
> and
> https://developer.mozilla.org/en-US/docs/AJAX
> can provide you with more information about this.

Please read that carefully yourself, and post here using your real name 
only.

-- 
PointedEars
Zend Certified PHP Engineer <http://www.zend.com/en/yellow-pages/ZEND024953>
<https://github.com/PointedEars> | <http://PointedEars.de/wsvn>
Twitter: @PointedEars2 | Please do not cc me./Bitte keine Kopien per E-Mail.
0
Thomas
12/2/2016 12:06:24 AM
On 12/1/2016 7:06 PM, Thomas the infamous troll 'Pointed Head' Lahn wrote:
> Cybercode wrote:
> 
>> bit-naughty@hotmail.com wrote:
>>> I've used sites, for example, a bank's where you login with your username 
>>> and password, and then it asks you "security questions" - like, your
>>> favourite colour, whatever, etc. etc. How is this sort of thing coded?
>>> The security questions appear without a refresh, mind you, ie. on the
>>> same page - so after the name+pwd authentication is done, does *client
>>> side Javascript* set some sort of cookie? If, after entering your
>>> username and password, the security quesions appear, and you refresh the
>>> page - what happens exactly? The authentication will happen again, and
>>> *another* cookie will be set..... - how does the system protect against
>>> that?
>>
>> Sounds to me like it uses XHR in order to request your security question
>> from the server after you have entered your login credentials.
> 
> Not necessarily.  In fact, it is more likely that it happens in an iframe.  
> Bank sites, for example, are not usually based on XHR.
>

Not if they are intelligent, they are not.  But it sounds like something
*YOU* would do.

>> XHR is often used with AJAX in order to update pages with new information
>> from the server without having to reload the page.
> 
> XMLHTTPRequest (XHR) is the *proper* term for that technology; AJAX 
> (Asynchronous JavaScript and XML) is the historic marketing buzzword,
> in common cases a *misnomer*.
>  

AJAX is the *proper* terminology for the technology.  XMLHTTPRequest
(sic) is only one method of implementing it.   Wrong again,.

>> https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest
>> and
>> https://developer.mozilla.org/en-US/docs/AJAX
>> can provide you with more information about this.
> 
> Please read that carefully yourself, and post here using your real name 
> only.
> 

Please stop continuing to show your ignorance and stupidity.  Cybercode
is right in his update.  You are wrong (as usual).

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex@attglobal.net
==================
0
Jerry
12/2/2016 12:48:49 AM
Jerry Stuckle wrote:

> On 12/1/2016 7:06 PM, Thomas the infamous troll 'Pointed Head' Lahn wrote:
[...]
>> XMLHTTPRequest (XHR) is the *proper* term for that technology; AJAX 
>> (Asynchronous JavaScript and XML) is the historic marketing buzzword,
>> in common cases a *misnomer*.
>>  
> 
> AJAX is the *proper* terminology for the technology.  XMLHTTPRequest
> (sic) is only one method of implementing it.   Wrong again,.

"AJAX" is a concept, not a "technology".

See <https://developer.mozilla.org/en-US/docs/AJAX>:

"Asynchronous JavaScript + XML, while not a technology in itself, is a
term coined in 2005 by Jesse James Garrett ..."

And from the guy who invented the term "AJAX":

<http://adaptivepath.org/ideas/ajax-new-approach-web-applications/>

"Defining Ajax

Ajax isn�t a technology. It�s really several technologies, each
flourishing in its own right, coming together in powerful new ways.
Ajax incorporates:

- standards-based presentation using XHTML and CSS;
- dynamic display and interaction using the Document Object Model;
- data interchange and manipulation using XML and XSLT;
- asynchronous data retrieval using XMLHttpRequest;
- and JavaScript binding everything together."

So XMLHTTPRequest is just one element of the *concept* AJAX, but an
important one. And eventhough it is not required technically, the idea
was to use XML - that's why it's call "XMLHTTPRequest" and not just
"HTTPRequest".


-- 
Arno Welzel
https://arnowelzel.de
https://de-rec-fahrrad.de
http://fahrradzukunft.de
0
Arno
12/3/2016 11:55:44 AM
On 12/3/2016 6:55 AM, Arno Welzel wrote:
> Jerry Stuckle wrote:
> 
>> On 12/1/2016 7:06 PM, Thomas the infamous troll 'Pointed Head' Lahn wrote:
> [...]
>>> XMLHTTPRequest (XHR) is the *proper* term for that technology; AJAX 
>>> (Asynchronous JavaScript and XML) is the historic marketing buzzword,
>>> in common cases a *misnomer*.
>>>  
>>
>> AJAX is the *proper* terminology for the technology.  XMLHTTPRequest
>> (sic) is only one method of implementing it.   Wrong again,.
> 
> "AJAX" is a concept, not a "technology".
> 
> See <https://developer.mozilla.org/en-US/docs/AJAX>:
> 
> "Asynchronous JavaScript + XML, while not a technology in itself, is a
> term coined in 2005 by Jesse James Garrett ..."
> 
> And from the guy who invented the term "AJAX":
> 
> <http://adaptivepath.org/ideas/ajax-new-approach-web-applications/>
> 
> "Defining Ajax
> 
> Ajax isn�t a technology. It�s really several technologies, each
> flourishing in its own right, coming together in powerful new ways.
> Ajax incorporates:
> 
> - standards-based presentation using XHTML and CSS;
> - dynamic display and interaction using the Document Object Model;
> - data interchange and manipulation using XML and XSLT;
> - asynchronous data retrieval using XMLHttpRequest;
> - and JavaScript binding everything together."
> 
> So XMLHTTPRequest is just one element of the *concept* AJAX, but an
> important one. And eventhough it is not required technically, the idea
> was to use XML - that's why it's call "XMLHTTPRequest" and not just
> "HTTPRequest".
> 
> 

Technology:
1. the branch of knowledge that deals with the creation and use of
technical means and their interrelation with life, society, and the
environment, drawing upon such subjects as industrial arts, engineering,
applied science, and pure science.
2. the application of this knowledge for practical ends.
3. the terminology of an art, science, etc.; technical nomenclature.
4. a scientific or industrial process, invention, method, or the like.
5. the sum of the ways in which social groups provide themselves with
the material objects of their civilization.

It seems to fit, no matter what someone without a decent knowledge of
the English language says in an 11 year old post.  And most
knowledgeable programmers consider it a technology - at least in 2016.

Do you argue with everyone, Arno?  Or just those more intelligent than
you?  Wait - I guess that is about everyone (except maybe Pointed Head
and TNP).

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex@attglobal.net
==================
0
Jerry
12/3/2016 3:12:04 PM
Jerry Stuckle wrote:

> On 12/3/2016 6:55 AM, Arno Welzel wrote:
>> Jerry Stuckle wrote:
>>
>>> On 12/1/2016 7:06 PM, Thomas the infamous troll 'Pointed Head' Lahn wrote:
>> [...]
>>>> XMLHTTPRequest (XHR) is the *proper* term for that technology; AJAX 
>>>> (Asynchronous JavaScript and XML) is the historic marketing buzzword,
>>>> in common cases a *misnomer*.
>>>>  
>>>
>>> AJAX is the *proper* terminology for the technology.  XMLHTTPRequest
>>> (sic) is only one method of implementing it.   Wrong again,.
>>
>> "AJAX" is a concept, not a "technology".
>>
>> See <https://developer.mozilla.org/en-US/docs/AJAX>:
>>
>> "Asynchronous JavaScript + XML, while not a technology in itself, is a
>> term coined in 2005 by Jesse James Garrett ..."
>>
>> And from the guy who invented the term "AJAX":
>>
>> <http://adaptivepath.org/ideas/ajax-new-approach-web-applications/>
>>
>> "Defining Ajax
>>
>> Ajax isn�t a technology. It�s really several technologies, each
>> flourishing in its own right, coming together in powerful new ways.
>> Ajax incorporates:
>>
>> - standards-based presentation using XHTML and CSS;
>> - dynamic display and interaction using the Document Object Model;
>> - data interchange and manipulation using XML and XSLT;
>> - asynchronous data retrieval using XMLHttpRequest;
>> - and JavaScript binding everything together."
>>
>> So XMLHTTPRequest is just one element of the *concept* AJAX, but an
>> important one. And eventhough it is not required technically, the idea
>> was to use XML - that's why it's call "XMLHTTPRequest" and not just
>> "HTTPRequest".
>>
>>
> 
> Technology:
[...]
> It seems to fit, no matter what someone without a decent knowledge of
> the English language says in an 11 year old post.  And most
> knowledgeable programmers consider it a technology - at least in 2016.
> 
> Do you argue with everyone, Arno?  Or just those more intelligent than
> you?  Wait - I guess that is about everyone (except maybe Pointed Head
> and TNP).

No, I don't argue with everone. I just referred to the guy wo *invented*
the term "Ajax" and he does not call it a "technology" himself.

BTW: About the author Jesse James Garrett:

<https://en.wikipedia.org/wiki/Jesse_James_Garrett>

"Garrett was born in Ottawa, Ontario, Canada,[17] and grew up in
Florida. He lived in Los Angeles for 5 years before moving to San
Francisco in 1999."

So I believe he has a decent knowledge of his mother tongue, don't you?

-- 
Arno Welzel
https://arnowelzel.de
https://de-rec-fahrrad.de
http://fahrradzukunft.de
0
Arno
12/4/2016 10:24:12 PM
Arno Welzel wrote:

> Jerry Stuckle wrote:
>> Do you argue with everyone, Arno?  Or just those more intelligent than
>> you?  Wait - I guess that is about everyone (except maybe Pointed Head
>> and TNP).
> 
> No, I don't argue with everone. […]

Most importantly, “Never argue with an idiot. They will only bring you down 
to their level and beat you with experience.” —George Carlin (1937–2008)

IOW: *Please* do not feed the troll.  TIA.

-- 
PointedEars
Zend Certified PHP Engineer <http://www.zend.com/en/yellow-pages/ZEND024953>
<https://github.com/PointedEars> | <http://PointedEars.de/wsvn>
Twitter: @PointedEars2 | Please do not cc me./Bitte keine Kopien per E-Mail.
0
Thomas
12/4/2016 11:17:15 PM
On 12/4/2016 5:24 PM, Arno Welzel wrote:
> Jerry Stuckle wrote:
> 
>> On 12/3/2016 6:55 AM, Arno Welzel wrote:
>>> Jerry Stuckle wrote:
>>>
>>>> On 12/1/2016 7:06 PM, Thomas the infamous troll 'Pointed Head' Lahn wrote:
>>> [...]
>>>>> XMLHTTPRequest (XHR) is the *proper* term for that technology; AJAX 
>>>>> (Asynchronous JavaScript and XML) is the historic marketing buzzword,
>>>>> in common cases a *misnomer*.
>>>>>  
>>>>
>>>> AJAX is the *proper* terminology for the technology.  XMLHTTPRequest
>>>> (sic) is only one method of implementing it.   Wrong again,.
>>>
>>> "AJAX" is a concept, not a "technology".
>>>
>>> See <https://developer.mozilla.org/en-US/docs/AJAX>:
>>>
>>> "Asynchronous JavaScript + XML, while not a technology in itself, is a
>>> term coined in 2005 by Jesse James Garrett ..."
>>>
>>> And from the guy who invented the term "AJAX":
>>>
>>> <http://adaptivepath.org/ideas/ajax-new-approach-web-applications/>
>>>
>>> "Defining Ajax
>>>
>>> Ajax isn�t a technology. It�s really several technologies, each
>>> flourishing in its own right, coming together in powerful new ways.
>>> Ajax incorporates:
>>>
>>> - standards-based presentation using XHTML and CSS;
>>> - dynamic display and interaction using the Document Object Model;
>>> - data interchange and manipulation using XML and XSLT;
>>> - asynchronous data retrieval using XMLHttpRequest;
>>> - and JavaScript binding everything together."
>>>
>>> So XMLHTTPRequest is just one element of the *concept* AJAX, but an
>>> important one. And eventhough it is not required technically, the idea
>>> was to use XML - that's why it's call "XMLHTTPRequest" and not just
>>> "HTTPRequest".
>>>
>>>
>>
>> Technology:
> [...]
>> It seems to fit, no matter what someone without a decent knowledge of
>> the English language says in an 11 year old post.  And most
>> knowledgeable programmers consider it a technology - at least in 2016.
>>
>> Do you argue with everyone, Arno?  Or just those more intelligent than
>> you?  Wait - I guess that is about everyone (except maybe Pointed Head
>> and TNP).
> 
> No, I don't argue with everone. I just referred to the guy wo *invented*
> the term "Ajax" and he does not call it a "technology" himself.
> 
> BTW: About the author Jesse James Garrett:
> 
> <https://en.wikipedia.org/wiki/Jesse_James_Garrett>
> 
> "Garrett was born in Ottawa, Ontario, Canada,[17] and grew up in
> Florida. He lived in Los Angeles for 5 years before moving to San
> Francisco in 1999."
> 
> So I believe he has a decent knowledge of his mother tongue, don't you?
> 

Obviously not.

And just because a guy "invented" something doesn't mean he gets to call
it what he wants.

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex@attglobal.net
==================
0
Jerry
12/5/2016 12:17:59 AM
Jerry,

> And just because a guy "invented" something doesn't mean he
> gets to call it what he wants.

Wrong argument, as you seem to be responding to a strawman.

Read what has been posted he said again, and wonder : did he there actually
deny that Ajax is a technology (and what than _does_ he call it ?), or did
he just say it was not *one*, technology, but *several ones combined*
(which, I can imagine, could be called a technology in its own right).

Regards,
Rudy Wieser



0
R
12/5/2016 1:01:01 AM
Jerry,

> No, Arno doesn't even rate "strawman".

"Strawman" as in his quote, not as in a person.

To put it simpler: He posted a quote that does not supply any proof or
disproof to *anything*, but made you believe it did.   As a result you're
attacking windmills.

> And yes, Arno did deny that Ajax is a technology: "AJAX" is a concept,
> not a "technology".

Is it *really* that important what he wants to call it ?    Would it change
anything for *you* if he would call it "jeanette" ?

And maybe you both are right, depending on when you learned the word, its
context and maybe even country, ever thought of that ?

> But then Arno is good at arguing from a position of ignorance,
> just to argue.

For an argument like that at least two people are needed.   If only one is
left the argument dies because of a lack of fuel.

Regards,
Rudy Wieser


-- Origional message:
Jerry Stuckle <jstucklex@attglobal.net> schreef in berichtnieuws
o23ptr$n12$1@jstuckle.eternal-september.org...
> On 12/5/2016 4:08 AM, R.Wieser wrote:
> > Jerry,
> >
> >> And just because a guy "invented" something doesn't mean he
> >> gets to call it what he wants.
> >
> > Wrong argument, as you seem to be responding to a strawman.
> >
> > Read what has been posted he said again, and wonder : did he there
actually
> > deny that Ajax is a technology (and what than _does_ he call it ?), or
did
> > he just say it was not *one*, technology, but *several ones combined*
> > (which, I can imagine, could be called a technology in its own right).
> >
> > Regards,
> > Rudy Wieser
> >
> >
>
> No, Arno doesn't even rate "strawman".
>
> And yes, Arno did deny that Ajax is a technology: "AJAX" is a concept,
> not a "technology".
>
> But then Arno is good at arguing from a position of ignorance, just to
> argue.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> jstucklex@attglobal.net
> ==================


0
R
12/5/2016 1:01:01 AM
On 12/5/2016 4:08 AM, R.Wieser wrote:
> Jerry,
> 
>> And just because a guy "invented" something doesn't mean he
>> gets to call it what he wants.
> 
> Wrong argument, as you seem to be responding to a strawman.
> 
> Read what has been posted he said again, and wonder : did he there actually
> deny that Ajax is a technology (and what than _does_ he call it ?), or did
> he just say it was not *one*, technology, but *several ones combined*
> (which, I can imagine, could be called a technology in its own right).
> 
> Regards,
> Rudy Wieser
> 
> 

No, Arno doesn't even rate "strawman".

And yes, Arno did deny that Ajax is a technology: "AJAX" is a concept,
not a "technology".

But then Arno is good at arguing from a position of ignorance, just to
argue.

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex@attglobal.net
==================
0
Jerry
12/5/2016 1:27:39 PM
Jerry Stuckle wrote:

> On 12/5/2016 4:08 AM, R.Wieser wrote:
>> Jerry,
>>
>>> And just because a guy "invented" something doesn't mean he
>>> gets to call it what he wants.
>>
>> Wrong argument, as you seem to be responding to a strawman.
>>
>> Read what has been posted he said again, and wonder : did he there actually
>> deny that Ajax is a technology (and what than _does_ he call it ?), or did
>> he just say it was not *one*, technology, but *several ones combined*
>> (which, I can imagine, could be called a technology in its own right).
>>
>> Regards,
>> Rudy Wieser
>>
>>
> 
> No, Arno doesn't even rate "strawman".
> 
> And yes, Arno did deny that Ajax is a technology: "AJAX" is a concept,
> not a "technology".
> 
> But then Arno is good at arguing from a position of ignorance, just to
> argue.

If you want to call Ajax itself a "technology" then do it so. I don't care.


-- 
Arno Welzel
https://arnowelzel.de
https://de-rec-fahrrad.de
http://fahrradzukunft.de
0
Arno
12/5/2016 6:06:26 PM
Reply: