On 17/03/10 11:33 -0500, Gustavo Andrés Angulo wrote: > Hi, when using HTTP authentication on every request the user and password > are sent in the HTTP protocol in the section "credentials", I think this > is wrong way, for to use HTTP authentication protocol I use HTTP + SSL (HTTPS) > and if I want use HTTP the best way is to use a token something like > http://localhost:8069/try?auth=TOKEN,
The current implementation is also not secure if uses without SSL. I think it could not be a wrong way when we choice to follow standard. And later we could try to implement Digest Access Authentication from RFC2617[1]. Token are also insecure over non-SSL because you can still steal it. [1] http://tools.ietf.org/html/rfc2617 -- Cédric Krier B2CK SPRL Rue de Rotterdam, 4 4000 Liège Belgium Tel: +32 472 54 46 59 Email/Jabber: [email protected] Website: http://www.b2ck.com/
pgpx3uVLIk5Sb.pgp
Description: PGP signature
