According to Scott Lawrence, > > I don't think that there is any interoperability reason why you > should not send unsolicited credentials (that is, I don't think that > it breaks the protocol itself to do so), but it makes no sense from > a security point of view: > > - With Basic all you're doing is publishing your password to someone > who may not need it or have any reason to get it (which is what > you're doing every time you use Basic anyway...) > > - With Digest you can't generate valid credentials without the nonce > from the challenge anyway. > I agree that you dont generally send unsolicited credentials, but the context isnt necessarily clear. If you are challenged for credentials initially, but a long while later (potentially hours) in the same browser session, you might send those same credentials again in a later transaction. One could argue that this would be unsolicited, since its possible for those credentials to be invalid at the later time. -- --- Josh Cohen josh@early.comReceived on Thursday, 13 November 1997 09:33:21 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:16:28 UTC