On 04/09/2010 17:27, André Warnier wrote: > Digest authentication is not very popular, and rather a pain to > implement yourself. > The reason why it is not very popular is that it is a bit of a halfway > solution : it does avoid user passwords to be transmitted in clear over > the net, but it is not safe for man-in-the-middle attacks (someone can > record the digest, and use it to authenticate later as that user).
No they can't. DIGEST is secure against such an attack. Any session ID, however, will be vulnerable. > And > it still leaves the subsequent conversation unencrypted. True. > If you really need security, then you should run your entire site under > HTTPS. It depends on what you are trying to protect. Generally, this is true but there will be edge cases where DIGEST is sufficient. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
