httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Brayton <>
Subject Re: When SSL is overkill
Date Wed, 03 Jul 2002 13:30:36 GMT
> However, most of the restricted material, could just a well be placed 
> on a
> normal http, if it was not for the access control. I am currently using
> Basic authentication on the SLL, which ensures that my password is not
> transfered in clear text.
> Is it possible to configure a server, so
>    - when entering the server, authentication is done over SSL
>    - After the user sucessfully logged in, the contents of the the 
> server
>      can be transfered using only http

You could use digest authentication which is designed to do exactly 
this.  See:

But there are several caveats, which are documented on that page.  In 
addition, there are known incompatibilities between digest 
authentication in IE and Apache.  This is documented at:,3668,a%3D24177,00.asp

You may also want to check out this system, which does form-based 
authentication via a JavaScript performing a secure hash on the username 
and/or password:

I believe that this is *less* secure than using Basic Authentication via 
HTTPS, but more secure than Basic Authentication via HTTP.  And it 
avoids some of the SSL administration headaches.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message