Matt Matijevich said:
snip
I'm about 90% sure that URL strings are passed in the clear to SSL
servers, so this would defeat the purpose of SSL.
/snip
I don't think this is true. You can see the query string in the
address bar, but (with what little http knowledge I have) the http
conversation is encrypted, if you sniff it, the contents will be
encrypted, even the query string.
This still might make the user uncomfortable (it'd make me uncomfortable)
so we can't ignore the warm fuzzy factor.
But if you can confirm this, perhaps it'd be good enough.
It seems this was fixed in a newer version of PHP or Apache or OpenSSL.
Perhaps their lazy admins just need to update their server. Of course,
I've been known to miss a few upgrades (he he he :-) so there's certainly
an allowance for laziness, but not if my request for them to upgrade is
ignored.
Do you know of any other MySQL-enabled auth methods? Can you confirm GET
strings are also encrypted?
/dev/idal
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
