Hi all; Just backing up Tim here a bit. In LedgerSMB 1.3, we decided to go to HTTP auth because of some changes in the security architecture of the software. After looking at alternatives, we concluded that http auth was likely to be the way to go long-run. There are some constraints which preclude the use of Digest authentication (negotiated and basic work OK, but the latter really requires SSL). In general the issues came down to: 1) We do pass-through authentication, and both authentication and permissions enforcement occurs on the database-level. 2) To do this effectively, we would have to either store the database passwords somewhere accessible to the web server (opening up possible attacks) or we would have to pass it back using some sort of secure, but reversible encryption scheme. Since the key would have to be accessible on the server, this didn't seem as secure to us as just requiring a usable auth token to be passed to the web server via http auth. There are substantial hurdles to overcome to make this work. However, moving to an HTTP auth framework means that a number of really powerful tools are gained. While it isn't standard yet, I hope the industry moves in that direction. I do think we need some sort of HTTP status or other header information that would tell a browser to clear the auth cache and not try again. Best Wishes, Chris Travers