On Tue, 2006-05-09 at 10:30 -0600, Adam Taft wrote: > Just as a point of clarification... > > When you embed a password into the URL (as discussed in this thread like > https://username:[EMAIL PROTECTED]), the username and password won't > be encrypted even if you're using SSL (https). That's obvious, right? > > Whereas, with basic authentication (via http headers), the credentials > will be encrypted when using SSL. This is because the credentials are > part of the message header, not part of the resource locator itself. > > This is ultimately why the form first form for authentication > (credentials in the URL) is strongly discouraged.
Um, I just sniffed Firefox against Apache, with a user:[EMAIL PROTECTED] URL, and it first got back a 401, then sent the password in the Authorization header. At no point did the password travel alongside any form of resource location. Either you're wrong, or I misunderstand? Regards, Oli
