https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #20 from Gabriel <gabrielesanc...@gmail.com> --- (In reply to Gabriel from comment #19) > > Hashing on the client side has its merits as long as you also hash on the > server side and you don't use the same salt on the client as you do on the > server. In particular, if your client code fetches the salt corresponding > to a username, that lets an attacker know if they have a valid username (if > they receive a salt from the server to do hashing on the client side). If > you use a random salt generated for a client session or even a constant > client-side salt, it is best to also hash on the server side with an > independent user-specific hash. > Oops... random salt generated for a client session wouldn't work, would it? It would either have to be constant or user specific. I suppose constant is best on the client side. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
