On Tue, Jul 7, 2009 at 10:25 AM, Paul Reilly<pareilly@xxxxxx> wrote:
> I don't want to force all web access over HTTPS, just the .htaccess
> authentication.
Assuming you're doing standard HTTP Authentication, it doesn't work
that way. Once you get the login popup, every subsequent request by
the browser sends the same authentication token (username & password
in clear text) to the server.
Hence, doing SSL for the first request doesn't really add to your
security since all the other requests would send the username &
password in clear text (some people think the user & pass are
"encrypted" but it's really just base64 encoding).
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
-- Benjamin Franklin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|