Re: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

[Bil Corry <bil@xxxxxxxxx>]

Mike Fratto wrote on 6/16/2008 4:03 PM: 
> Bil, is that true when digest mode is used as well?
>
> > Internet Explorer and Firefox send the HTTP Auth header on every
> > request (after logging in).  It's optional to do so (per the RFC)
> > and presumably they do it to reduce network traffic and quicker
> > page load.  Not sending it means having the site prompt for it,
> > then sending the request again, which comes out to two hits per
> > page.

It's been a few months since I tested Safari's behavior and couldn't remember, so I tested it again tonight.  Lo, Apple changed the behavior entirely -- version 3.1.1 matches the behavior of FF and IE.  That is, all three browsers will send the HTTP Auth header with every request after authenticating.

Sorry for the misinformation; I'm glad to see the behavior is now consistent across FF, IE, and Safari.


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA