Hi Sergiu, On Thu, Feb 25, 2010 at 9:27 PM, Sergiu Dumitriu <[email protected]> wrote:
> On 02/25/2010 07:36 PM, Guillaume Lerouge wrote: > > Hi Alaina, > > > > On Thu, Feb 25, 2010 at 7:21 PM, Alaina<[email protected]> > wrote: > > > >> Hi everyone, > >> > >> I was wondering how the standard authentication handles user > >> passwords. Especially I would like to know whether those passwords get > >> sent from the client to the server in plaintext or whether they get > >> encrypted. > >> > >> Or in other words is it safe to use a non-encrypted http connection or > >> should I use to a SSL https connection to prevent password sniffing. > >> > > > > I think HTTPS is safer. Passwords are stored encrypted on the DB but > AFAIK > > if you're using HTTP they're going to be sent plaintext to the wiki, thus > > allowing for sniffing during the transfer. I might be wrong though ;-) > > Guillaume is correct, but this applies only to the default cookie-based > authentication. > See, sometimes I'm even right when it comes to software ;-) Guillaume > HTTPS is safer as a general rule anyway. > > To reduce the need for encryption, you can just setup the httpd frontend > to automatically redirect from HTTP to HTTPS for login URLs, and back to > HTTP for all the other URLs. > > > Guillaume > > > -- > Sergiu Dumitriu > http://purl.org/net/sergiu/ > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > -- Guillaume Lerouge Product Manager - XWiki SAS Skype: wikibc Twitter: glerouge http://guillaumelerouge.com/ _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
