Oliver,
this seems to be a very clever feature of Firefox.
I am just exercising with ftp://user:[EMAIL PROTECTED] URLs
to access ftp, and it seems to behave the same.
It even removes the user:pwd from the URL bar
after it has logged in.
So, I wouldn't bet on all browsers to behave like
that.
Cheers
Georg
Oliver Cole wrote:
On Tue, 2006-05-09 at 10:30 -0600, Adam Taft wrote:
Just as a point of clarification...
When you embed a password into the URL (as discussed in this thread like
https://username:[EMAIL PROTECTED]), the username and password won't
be encrypted even if you're using SSL (https). That's obvious, right?
Whereas, with basic authentication (via http headers), the credentials
will be encrypted when using SSL. This is because the credentials are
part of the message header, not part of the resource locator itself.
This is ultimately why the form first form for authentication
(credentials in the URL) is strongly discouraged.
Um, I just sniffed Firefox against Apache, with a user:[EMAIL PROTECTED]
URL, and it first got back a 401, then sent the password in the
Authorization header. At no point did the password travel alongside any
form of resource location.
Either you're wrong, or I misunderstand?
Regards,
Oli
