ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Cole <oliverc...@f2s.com>
Subject Re: HTTP Authentication again
Date Tue, 09 May 2006 18:41:07 GMT
On Tue, 2006-05-09 at 10:30 -0600, Adam Taft wrote:
> Just as a point of clarification...
> 
> When you embed a password into the URL (as discussed in this thread like 
> https://username:password@example.com), the username and password won't 
> be encrypted even if you're using SSL (https).  That's obvious, right?
> 
> Whereas, with basic authentication (via http headers), the credentials 
> will be encrypted when using SSL.  This is because the credentials are 
> part of the message header, not part of the resource locator itself.
> 
> This is ultimately why the form first form for authentication 
> (credentials in the URL) is strongly discouraged.

Um, I just sniffed Firefox against Apache, with a user:password@host
URL, and it first got back a 401, then sent the password in the
Authorization header. At no point did the password travel alongside any
form of resource location.

Either you're wrong, or I misunderstand?

Regards,

Oli



Mime
View raw message