ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Taft <a...@hydroblaster.com>
Subject Re: HTTP Authentication again
Date Tue, 09 May 2006 16:30:56 GMT

Just as a point of clarification...

When you embed a password into the URL (as discussed in this thread like 
https://username:password@example.com), the username and password won't 
be encrypted even if you're using SSL (https).  That's obvious, right?

Whereas, with basic authentication (via http headers), the credentials 
will be encrypted when using SSL.  This is because the credentials are 
part of the message header, not part of the resource locator itself.

This is ultimately why the form first form for authentication 
(credentials in the URL) is strongly discouraged.


Danny Angus wrote:
> On 09/05/06, Schölver, Andreas <Andreas.Schoelver@ebootis.de> wrote:
>> Is a clear text password really desirable or is it a security issue?
> 
> 1/ use https - then it won't be visible on the network
> 2/ don't hard-code the password, make it a configurable parameter -
> then only the user will know it.
> 3/ if security is a big concern do something more secure.
> 
> d.
> 

Mime
View raw message