Just as a point of clarification...
When you embed a password into the URL (as discussed in this thread like
https://username:[EMAIL PROTECTED]), the username and password won't
be encrypted even if you're using SSL (https). That's obvious, right?
Whereas, with basic authentication (via http headers), the credentials
will be encrypted when using SSL. This is because the credentials are
part of the message header, not part of the resource locator itself.
This is ultimately why the form first form for authentication
(credentials in the URL) is strongly discouraged.
Danny Angus wrote:
On 09/05/06, Schölver, Andreas <[EMAIL PROTECTED]> wrote:
Is a clear text password really desirable or is it a security issue?
1/ use https - then it won't be visible on the network
2/ don't hard-code the password, make it a configurable parameter -
then only the user will know it.
3/ if security is a big concern do something more secure.
d.
