«

hi,
IIS 5 and 6, IE 5 and 6, simple authentication
does the browser send the username and password in clear text on every
request after been authenticated?

Given how HTTP is disconnected, with any authentication protocol the browser
needs to send something back to the server to identifit itself after it's
authenticated. With NTML it's a identification header, with FormsAuth it's
the forms auth cookie.

-Brock
DevelopMentor
http://staff.develop.com/ballen



> hi,
> IIS 5 and 6, IE 5 and 6, simple authentication
> does the browser send the username and password in clear text on every
> request after been authenticated?

On Wed, 7 Sep 2005 16:22:02 +0300, "Coldman" <> wrote:

¤ hi,
¤ IIS 5 and 6, IE 5 and 6, simple authentication
¤ does the browser send the username and password in clear text on every
¤ request after been authenticated?
¤

I guess it depends on what you mean by simple authentication. For Basic authentication the user ID
and password are not encrypted and can be impersonated and delegated at the web server. With
Integrated Windows Security, NTLM handles the authentication and credentials can be impersonated but
not delegated unless Kerberos is configured. Clear text credentials are not an issue with Integrated
Windows Security.


Paul
~~~~
Microsoft MVP (Visual Basic)

Coldman wrote:
> hi,
> IIS 5 and 6, IE 5 and 6, simple authentication
> does the browser send the username and password in clear text on every
> request after been authenticated?
>
>

i meant basic not simple
"with any authentication protocol the browser needs to send something
back to the server to identifit itself after it's authenticated"

what is IE sending - is it the username and pass or some other proove
this is the same client?

thanks

On Wed, 07 Sep 2005 20:29:52 +0300, John <> wrote:

¤ Coldman wrote:
¤ > hi,
¤ > IIS 5 and 6, IE 5 and 6, simple authentication
¤ > does the browser send the username and password in clear text on every
¤ > request after been authenticated?
¤ >
¤ >
¤
¤ i meant basic not simple
¤ "with any authentication protocol the browser needs to send something
¤ back to the server to identifit itself after it's authenticated"
¤
¤ what is IE sending - is it the username and pass or some other proove
¤ this is the same client?

It has to send an authentication header (which is cached by the browser after initial
authentication) each time if the web server responds with an authentication request.


Paul
~~~~
Microsoft MVP (Visual Basic)