Scrive Fastream Technologies <[EMAIL PROTECTED]>: > In my debugging, I saw that clients favor the order provided that they > support the prior method. For example, > > www-authenticate: Digest ... > www-authenticate: Basic ... > > If digest is supported, by all three browsers, it is preffered.
The client should use the strongest in any case. The rfc say: ---8<--- A possible man-in-the-middle (MITM) attack would be to add a weak authentication scheme to the set of choices, hoping that the client will use one that exposes the user's credentials (e.g. password). For this reason, the client should always use the strongest scheme that it understands from the choices accepted. --->8--- Is seems very reasonable to me. You can try to write a server that send the Basic before the Digest and see what happen. I hope that Digest will used, otherwise the client should be putted directly into the trashcan. Of course I don't bet on what IE does :-) Bye, Maurizio. ---------------------------------------------------- This mail has been sent using Alpikom webmail system http://www.alpikom.it -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
