>> Like I said, it's not clear to me how this [HTTP Digest Authentication] would solve my [Session Hijacking] problem. Can >> you elaborate a little? Wow, well thanks both of you for the great information. I didn't realize that a new nonce was generated for each request, so I didn't see how it was any different than a regular session id, but this really is just like having the user reauthenticate for every request, but without bugging them. As you both pointed out, man in the middle attacks are still a problem...kind of a real bummer apache doesn't have auth-int yet, but it looks like this might be feasible with a server-side script. Thanks again for all the advice. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|