-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin,
On 5/13/2009 9:27 AM, Martin Gainty wrote: > if you are asking how to overcome Man-in-the-middle fraudulent > manipulation based on basic authentication? He's not. > and or Man-in-the middle > fraudulent manipulation based on Form-based authentication which uses > j_username and j_password and posts back to j_security_check using > cleartext? He's not asking that, either. > i would suggest implementation authentication using either > Message-Digest or HTTPS Message-Digest This does not solve the problem, which is session hijacking, not protection of credentials. You have wasted a great deal of your time coming up with that response. Instead, you should have read the referenced thread and contributed to the discussion of protection against session fixation, instead of posting tips on how to protect credentials. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoMZGUACgkQ9CaO5/Lv0PCg1wCdFV8/BDav0DR+g6dg0MU70HeI 7qYAoJtB3AUbI9f9uMCwLW07ej2lH64N =zjkh -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org