On 09/05/06, Adam Taft <[EMAIL PROTECTED]> wrote:
Just as a point of clarification... When you embed a password into the URL (as discussed in this thread like https://username:[EMAIL PROTECTED]), the username and password won't be encrypted even if you're using SSL (https). That's obvious, right?
Well kind of, except that the username and password should *not* be used in the URL but kept until they can be sent after a request for authentication, in *exactly* the same way as if you'd typed them into a grey box. The only real issue would be where they were visible locally, e.g. in browser history or such like. We're *not* talking about that here, we're talking about using the URL construct to pass them internally to the xml rpc client.
