- From: Florent Georges <fgeorges@gmail.com>
- Date: Thu, 5 Feb 2009 16:51:24 +0100
- To: mozer <xmlizer@gmail.com>
- Cc: Norman Walsh <ndw@nwalsh.com>, XProc Dev <xproc-dev@w3.org>
2009/2/5 mozer wrote: >> If you know that you're using Basic authentication, then you can send >> the credentials first and avoid the "got a 401, retry with >> credentials" round trip. >> > Why not always send credentials on >> > the first request, when specified? I guess this is related to >> > security, to not send credentials without the user explicitly >> > requesting so? >> Credentials that you send on the first attempt are effectively clear >> text. (They're hashed, but I think it's reversible.) > Well small fix here : hashing is not reversible ; but using the hashed value > you can reproduce the logging which is definitely a security issue I am not sure we speak about the same thing here, but in Basic Authentication, the credentials are not encoded (yes, in base64, but that's just for transport neutrality purpose, not for security.) -- Florent Georges http://www.fgeorges.org/
Received on Thursday, 5 February 2009 15:52:30 UTC