Forum OpenACS Development: HTTP Auth

Collapse
Posted by Dave Bauer on
Is anyone using the HTTP Auth package?

I have a client that may be interested in using it to allow authenticated automated downloads with curl.

Last time I looked and implemented http auth, it was recommended to only allow http auth over SSL. Does anyone know if this is still a recommended practice?

Thanks.

Dave

Collapse
2: Re: HTTP Auth (response to 1)
Posted by Antonio Pisano on
Hello Dave,

I cannot comment on the status of the package, but I feel confident about telling you that SSL recommendation still holds, because once the token is issued, everybody being able to sniff it over the connection could get access to the server.