[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-user
Subject:    Re: HTTP Authentication again
From:       "Danny Angus" <danny.angus () gmail ! com>
Date:       2006-05-10 8:02:23
Message-ID: 5ec229170605100102v2f2cd955se56a21163b5aa9dd () mail ! gmail ! com
[Download RAW message or body]

On 09/05/06, Adam Taft <adam@hydroblaster.com> wrote:
>
> Just as a point of clarification...
>
> When you embed a password into the URL (as discussed in this thread like
> https://username:password@example.com), the username and password won't
> be encrypted even if you're using SSL (https).  That's obvious, right?

Well kind of, except that the username and password should *not* be
used in the URL but kept until they can be sent after a request for
authentication, in *exactly* the same way as if you'd typed them into
a grey box. The only real issue would be where they were visible
locally, e.g. in browser history or such like.
We're *not* talking about that here, we're talking about using the URL
construct to pass them internally to the xml rpc client.

[prev in list] [next in list] [prev in thread] [next in thread]