Form Authentication with SSL works acceptably. Actually password anything isn't really that secure. However Form/SSL is acceptable for most apps. You can't have anything more than mimic security without encryption. The session is keyed to a token. If its not encrypted, I can intercept it and probably change your password or at least have fun for a session.
-andy > From: "Richard O. Hammer" <[EMAIL PROTECTED]> > Reply-To: "Research Triangle Java User's Group mailing > list."<[EMAIL PROTECTED]> > Date: Sat, 10 Apr 2004 12:50:14 -0400 > To: "Research Triangle Java User's Group mailing list."<[EMAIL PROTECTED]> > Subject: [Juglist] Re: HTTP authentication -- was too few warnings among us > about bad code > > Hugh Allen wrote: >> * HTTP basic authentication >> * Form-based authentication >> * Client-certificate authentication > > I had lumped HTTP Basic authentication together with FORM > authentication, and meant both of them when I wrote about "HTTP > authentication" in my last post. I was thinking that form based > authentication was a kind of HTTP authentication, but I may be > mistaken about that. Anyhow, form-based authentication is what I have > recently found to have enough gotchas to drive me to look for better, > maybe to write my own. > > >> It appears that Form-based authentication, when combined with SSL, is >> flexible and does not expose passwords or messages in plain text. > > I agree. It APPEARS decent. But how often is it actually used in > serious work? > >> ... This >> is what I plan to use for my production environment, but I haven't >> gotten the SSL cert yet. > > Based upon my limited experience, I warn you against form based > authentication. The SSL part has worked without difficulty for me, > however. > > Thank you for the links. > > Rich Hammer > > > > _______________________________________________ > Juglist mailing list > [EMAIL PROTECTED] > http://trijug.org/mailman/listinfo/juglist_trijug.org _______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org
