Scrive Fastream Technologies <[EMAIL PROTECTED]>:

> In my debugging, I saw that clients favor the order provided that they 
> support the prior method. For example,
> www-authenticate: Digest ...
> www-authenticate: Basic ...
> If digest is supported, by all three browsers, it is preffered.

The client should use the strongest in any case. The rfc say:

   A possible man-in-the-middle (MITM) attack would be to add a weak
   authentication scheme to the set of choices, hoping that the client
   will use one that exposes the user's credentials (e.g. password). For
   this reason, the client should always use the strongest scheme that
   it understands from the choices accepted.

Is seems very reasonable to me. You can try to write a server that send the 
Basic before the Digest and see what happen. I hope that Digest will used, 
otherwise the client should be putted directly into the trashcan.
Of course I don't bet on what IE does :-)

Bye, Maurizio.

This mail has been sent using Alpikom webmail system

To unsubscribe or change your settings for TWSocket mailing list
please goto
Visit our website at

Reply via email to