Matt Matijevich said: > <snip> > I'm about 90% sure that URL strings are passed in the clear to SSL > servers, so this would defeat the purpose of SSL. > </snip> > > I don't think this is true. You can see the query string in the > address bar, but (with what little http knowledge I have) the http > conversation is encrypted, if you sniff it, the contents will be > encrypted, even the query string.
This still might make the user uncomfortable (it'd make me uncomfortable) so we can't ignore the "warm fuzzy" factor. But if you can confirm this, perhaps it'd be good enough. It seems this was fixed in a newer version of PHP or Apache or OpenSSL. Perhaps their lazy admins just need to update their server. Of course, I've been known to miss a few upgrades (he he he :-) so there's certainly an allowance for laziness, but not if my request for them to upgrade is ignored. Do you know of any other MySQL-enabled auth methods? Can you confirm GET strings are also encrypted? /dev/idal -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
