Dan Hardiker: > However, HTTP basic authentication is passed the same as session > cookies > (discussed earlier in this thread) - in the headers of the HTTP > communication. This can very easily be faked with something like cURL.
On the other hand, if you know the user's credentials, why bother to fake anything -- just log in to the system like anyone else! So... In a system where eavesdropping or man-in-the-middle attacks are not possible (ie. HTTP over SSL), HTTP Basic Authentication is secure. So it makes sense the piggybag the session id propagation on it also. mk -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
