Hello everyone, I have a few strict requirements for security on my project, and I am having a hard time understanding some concepts. I cannot use SSL due to the performance loss, and the application must be accessed only by authenticated users. Meanwhile, I am required to never send the password in cleartext. I have successfully implemented a DIGEST authentication with the helpful response from Mark Thomas, but I am curious about how authentication for further requests takes place. I notice that the user is prompted for the password only the first time, and subsequent requests are automatically authenticated. Is the authentication information stored in a session somewhere? Is this easy to obtain through sniffing? Could a sniffer potentially fake an authenticated client's session id to get access to an application? I would appreciate any input or any links/books where I can read up on how this works. I sincerely appreciate your time and help.
Best Regards, Khawaja Shams
