Apart from being able to integrate the login into the page, what then is the advantage of Form Auth over Basic?
Both are basically crap without SSL. The only advantage I can think of for Form Auth are that the login process can be over SSL, but then it can move out of SSL and rely on Session memory. Which as the session id is in either a cookie or the url's would be insecure, though only insecure in a session's lifetime. Useful for big sites where everything in SSL might be a cpu issue, but generally it could all just stay in SSL, so why not just use Basic? Just wondering. I find that the choice is often driven by how the business people want it to look. Hen On Sat, 10 Apr 2004, Andrew Oliver wrote: > Form Authentication with SSL works acceptably. Actually password anything > isn't really that secure. However Form/SSL is acceptable for most apps. > You can't have anything more than mimic security without encryption. The > session is keyed to a token. If its not encrypted, I can intercept it and > probably change your password or at least have fun for a session. > > > -andy > > > From: "Richard O. Hammer" <[EMAIL PROTECTED]> > > Reply-To: "Research Triangle Java User's Group mailing > > list."<[EMAIL PROTECTED]> > > Date: Sat, 10 Apr 2004 12:50:14 -0400 > > To: "Research Triangle Java User's Group mailing list."<[EMAIL PROTECTED]> > > Subject: [Juglist] Re: HTTP authentication -- was too few warnings among us > > about bad code > > > > Hugh Allen wrote: > >> * HTTP basic authentication > >> * Form-based authentication > >> * Client-certificate authentication > > > > I had lumped HTTP Basic authentication together with FORM > > authentication, and meant both of them when I wrote about "HTTP > > authentication" in my last post. I was thinking that form based > > authentication was a kind of HTTP authentication, but I may be > > mistaken about that. Anyhow, form-based authentication is what I have > > recently found to have enough gotchas to drive me to look for better, > > maybe to write my own. > > > > > >> It appears that Form-based authentication, when combined with SSL, is > >> flexible and does not expose passwords or messages in plain text. > > > > I agree. It APPEARS decent. But how often is it actually used in > > serious work? > > > >> ... This > >> is what I plan to use for my production environment, but I haven't > >> gotten the SSL cert yet. > > > > Based upon my limited experience, I warn you against form based > > authentication. The SSL part has worked without difficulty for me, > > however. > > > > Thank you for the links. > > > > Rich Hammer > > > > > > > > _______________________________________________ > > Juglist mailing list > > [EMAIL PROTECTED] > > http://trijug.org/mailman/listinfo/juglist_trijug.org > > > _______________________________________________ > Juglist mailing list > [EMAIL PROTECTED] > http://trijug.org/mailman/listinfo/juglist_trijug.org > _______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org
