Digest authentication vs POST authentication

    As you know in the HTTP protocol there is Digest authentication. One of my acquaintances claims that it is generally secular in comparison with conventional authentication, which is carried out using HTML forms. Of course, I understand that the prosnififf of the second option can be caught a couple of username password, but this is a pretty editing situation, and more often it will be possible to catch the SID and register it for yourself (well, the rest of the parameters if the SID is still attached to) and get the desired session, but in the first case, you can stream traffic and catch the Authorization header and copy it to yourself and get the same session.

    The option so that for each request to change nonce seems to me rather utopian (well, to harness it and no longer use it).

    I don’t understand something in digest authentication.

    Z.Y. I am aware that SSL will save you from everything :).

    Also popular now: