ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Danny Angus" <>
Subject Re: HTTP Authentication again
Date Wed, 10 May 2006 08:02:23 GMT
On 09/05/06, Adam Taft <> wrote:
> Just as a point of clarification...
> When you embed a password into the URL (as discussed in this thread like
>, the username and password won't
> be encrypted even if you're using SSL (https).  That's obvious, right?

Well kind of, except that the username and password should *not* be
used in the URL but kept until they can be sent after a request for
authentication, in *exactly* the same way as if you'd typed them into
a grey box. The only real issue would be where they were visible
locally, e.g. in browser history or such like.
We're *not* talking about that here, we're talking about using the URL
construct to pass them internally to the xml rpc client.

View raw message