Karoly Negyesi wrote:
have a fallback mechanism where we try https and if that fails, we use
When I have tried introducing HTTPS into Drupal, it was said that something named phplib is the solution not https. May or may not be relevant in this discussion.
I would say that PHPLIB's technique[1] for avoiding sending auth information in clear text is a good solution for those who can't afford to go the HTTPS route. Adding SSL code to Drupal's remote or local auth would be a black hole for resources. Local auth HTTPS should remain at the server. If an admin is running a site where security is that important, his or her server ought to be running HTTPS, and most browsers out there support it directly. That does not solve the remote auth problem, however. But HTTPS seems more work than it is worth at this point. [1] client side: crlogin.ihtml: http://tinyurl.com/6ysow server side: local.inc, Example_Challenge_Auth(): http://tinyurl.com/3wvyo -- Chris Johnson