[nycphp-talk] Another stupid thing
Paul A Houle
paul at devonianfarm.com
Mon Feb 2 13:05:51 EST 2009
Digest authentication doesn't really work because the different
browser and server vendors never achieved interoperability.
If you're worried about transmissions being intercepted, use SSL.
Both Apache 2 and IIS have SSL built in, so it's straightforward to
implement. You can spend as much as you like on an SSL certificate,
but you can get them cheap from godaddy or sign them yourself for
internal products with no budget.
Note that sites like yahoo, google, amazon, twitter, ebay, and
digg don't use Basic Auth, Digest Auth or any of the Auth systems built
into the http standard. They use the unofficial standard that's
described in the following paper:
http://pdos.csail.mit.edu/papers/webauth:sec10.pdf
More information about the talk
mailing list