Re: [closed] Re: p:http-request's send-authorization use case?

2009/2/5 mozer wrote:

>> If you know that you're using Basic authentication, then you can send
>> the credentials first and avoid the "got a 401, retry with
>> credentials" round trip.

>> > Why not always send credentials on
>> > the first request, when specified?  I guess this is related to
>> > security, to not send credentials without the user explicitly
>> > requesting so?

>> Credentials that you send on the first attempt are effectively clear
>> text. (They're hashed, but I think it's reversible.)

> Well small fix here : hashing is not reversible ; but using the hashed value
> you can reproduce the logging which is definitely a security issue

  I am not sure we speak about the same thing here, but in Basic
Authentication, the credentials are not encoded (yes, in base64, but
that's just for transport neutrality purpose, not for security.)

-- 
Florent Georges
http://www.fgeorges.org/

Received on Thursday, 5 February 2009 15:52:30 UTC