March 1st, 2002, 06:31 AM
I'm in the process of writing a web application and am starting to look into the authorisation of things.
I've been using .htaccess securty for quite a will and also PHP sessions, and MySQL password stuff.
For this web app, i'm gonna be using the .htaccess (hopefully) as a MySQL server will not be available.
What my qestion is, is the .htaccess authorisation secure enough?
Are the passwords transmitted from the client to the web server encrypted ot not?
March 1st, 2002, 12:41 PM
Whats with DevShed these days? No one, no answers.
anyway, found the solution. And just if anyone else is seeking an answer to the question,
passwords are not sent encrypted, but not send plain text, they are sent uuencoded, so any one watching the packets fire around the networks will not see the plain text passwords.
But anyone catching the right packets would be able to capture the password(s).
March 1st, 2002, 06:33 PM
That only happens in Basic authentication. When you're using Digest authentication your passowrd is sent in md5 - and that is pretty secure. Look into mod_auth_digest for more information.
And you know I mean that.
March 7th, 2002, 04:46 PM
sending your password md5-encoded is just as secure as sending clear-text (if you donīt consider script-kiddies - that donīt know really know what they are doing - catching your output).
you can just repeat the sent data (md5encoded) and it will log you in just as plain-password.
for better security there is no way around SSL!