On 12/01/2016 06:50 PM,
bit-n...@hotmail.com wrote:
> I've used sites, for example, a bank's where you login with your username and password,
> and then it asks you "security questions" - like, your favourite colour, whatever, etc. etc.
> How is this sort of thing coded? The security questions appear without a refresh, mind you,
> ie. on the same page - so after the name+pwd authentication is done, does *client side
> Javascript* set some sort of cookie?
The login will be done over ajax call as Cybercode mentioned, if the
username/password matches, the server will send the security question as
a response in the earlier mentioned ajax call.
The client side is untrusted, so the cookie has already been set when
you enter the login page (before you enter your username/password), the
session data on the server side will be updated if a successful login.
> If, after entering your username and password,
> the security quesions appear, and you refresh the page - what happens exactly?
Much depends on how it's designed, if badly then you will be asked for
username/password again, if done properly you will be asked for the
security question.
A side note, those security questions are a false sense of security, if
you want security you go for 2 factor authentication.
> The authentication will happen again, and *another* cookie will be set.....
> - how does the system protect against that?
You don't have to set a new session cookie, you can keep on using the
one you had in the first place, but you may change it to make it a bit
more difficult to steal the session cookie and use it to access the
system. There are a lot to read about this at OWASP, see
https://www.owasp.org/index.php/Main_Page
--
//Aho