Hi Sergiu, On Thu, Feb 25, 2010 at 9:27 PM, Sergiu Dumitriu <[email protected]> wrote:
On 02/25/2010 07:36 PM, Guillaume Lerouge wrote:
Hi Alaina,
On Thu, Feb 25, 2010 at 7:21 PM, Alaina<[email protected]> wrote:
Hi everyone,
I was wondering how the standard authentication handles user passwords. Especially I would like to know whether those passwords get sent from the client to the server in plaintext or whether they get encrypted.
Or in other words is it safe to use a non-encrypted http connection or should I use to a SSL https connection to prevent password sniffing.
I think HTTPS is safer. Passwords are stored encrypted on the DB but AFAIK if you're using HTTP they're going to be sent plaintext to the wiki, thus allowing for sniffing during the transfer. I might be wrong though ;-)
Guillaume is correct, but this applies only to the default cookie-based authentication.
See, sometimes I'm even right when it comes to software ;-) Guillaume
HTTPS is safer as a general rule anyway.
To reduce the need for encryption, you can just setup the httpd frontend to automatically redirect from HTTP to HTTPS for login URLs, and back to HTTP for all the other URLs.
Guillaume
-- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Guillaume Lerouge Product Manager - XWiki SAS Skype: wikibc Twitter: glerouge http://guillaumelerouge.com/