Larry Stone wrote: > The method below would be vulnerable to replay attacks, since anyone > seeing the encrypted credentials would just be able to append them to any URL > to get that EPerson's access. If you use it, have the remote app's HTTP > client use an encrypted (HTTPS) channel. >
Sorry, my error. Larry, would it be secure if you added a time stamp to the encrypted info? Sounds like basic auth over HTTPS would be simpler though... Best regards, jim ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
