On Tue, Jul 7, 2009 at 10:25 AM, Paul Reilly<parei...@tcd.ie> wrote: > I don't want to force all web access over HTTPS, just the .htaccess > authentication.
Assuming you're doing standard HTTP Authentication, it doesn't work that way. Once you get the login popup, every subsequent request by the browser sends the same authentication token (username & password in clear text) to the server. Hence, doing SSL for the first request doesn't really add to your security since all the other requests would send the username & password in clear text (some people think the user & pass are "encrypted" but it's really just base64 encoding). -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
