Digest authentication vs POST authentication
As you know, HTTP has Digest authentication. A friend of mine claims that it is generally at all secular in comparison with ordinary authentication, which is done through the HTML form. Of course, I understand that the second option can be a password, but this is quite a rare situation, and it will be possible to catch the SID more often and prescribe it (well, if you still have the SID for the other parameters) and get the session you need, but in the first case, you can browse the traffic and catch the Authorization header and copy it yourself and get the same session.
Option so that for each request to change nonce seems to me quite utopian (well, to harbor it and not use it anymore).
I don't understand something in digest authentication.
')
ZY I know that SSL will save from everything :).
Option so that for each request to change nonce seems to me quite utopian (well, to harbor it and not use it anymore).
I don't understand something in digest authentication.
')
ZY I know that SSL will save from everything :).
Source: https://habr.com/ru/post/61463/
All Articles