ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Danny Angus" <danny.an...@gmail.com>
Subject Re: HTTP Authentication again
Date Wed, 10 May 2006 08:02:23 GMT
On 09/05/06, Adam Taft <adam@hydroblaster.com> wrote:
>
> Just as a point of clarification...
>
> When you embed a password into the URL (as discussed in this thread like
> https://username:password@example.com), the username and password won't
> be encrypted even if you're using SSL (https).  That's obvious, right?

Well kind of, except that the username and password should *not* be
used in the URL but kept until they can be sent after a request for
authentication, in *exactly* the same way as if you'd typed them into
a grey box. The only real issue would be where they were visible
locally, e.g. in browser history or such like.
We're *not* talking about that here, we're talking about using the URL
construct to pass them internally to the xml rpc client.

Mime
View raw message