ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Georg Sauer-Limbach <...@gslweb.de>
Subject Re: HTTP Authentication again
Date Tue, 09 May 2006 18:53:45 GMT
Oliver,

this seems to be a very clever feature of Firefox.
I am just exercising with ftp://user:pw@host URLs
to access ftp, and it seems to behave the same.
It even removes the user:pwd from the URL bar
after it has logged in.

So, I wouldn't bet on all browsers to behave like
that.

Cheers
Georg

Oliver Cole wrote:
> On Tue, 2006-05-09 at 10:30 -0600, Adam Taft wrote:
> 
>>Just as a point of clarification...
>>
>>When you embed a password into the URL (as discussed in this thread like 
>>https://username:password@example.com), the username and password won't 
>>be encrypted even if you're using SSL (https).  That's obvious, right?
>>
>>Whereas, with basic authentication (via http headers), the credentials 
>>will be encrypted when using SSL.  This is because the credentials are 
>>part of the message header, not part of the resource locator itself.
>>
>>This is ultimately why the form first form for authentication 
>>(credentials in the URL) is strongly discouraged.
> 
> 
> Um, I just sniffed Firefox against Apache, with a user:password@host
> URL, and it first got back a 401, then sent the password in the
> Authorization header. At no point did the password travel alongside any
> form of resource location.
> 
> Either you're wrong, or I misunderstand?
> 
> Regards,
> 
> Oli
> 
> 
> 

Mime
View raw message