Form Authentication with SSL works acceptably. Actually password anything isn't really that secure. However Form/SSL is acceptable for most apps. You can't have anything more than mimic security without encryption. The session is keyed to a token. If its not encrypted, I can intercept it and probably change your password or at least have fun for a session.
Just to note that WebSphere does use an encrypted Ltpa token with a short expiry period (it gets regenerated every 10 minutes or so).
_______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org
