[drupal-devel] remote auth and required email/password fields
Chris Johnson
chris at tinpixel.com
Thu Mar 17 03:07:32 UTC 2005
Karoly Negyesi wrote:
>>have a fallback mechanism where we try https and if that fails, we use
>
>
> When I have tried introducing HTTPS into Drupal, it was said that something
> named phplib is the solution not https. May or may not be relevant in this
> discussion.
I would say that PHPLIB's technique[1] for avoiding sending auth information
in clear text is a good solution for those who can't afford to go the HTTPS
route. Adding SSL code to Drupal's remote or local auth would be a black hole
for resources. Local auth HTTPS should remain at the server. If an admin is
running a site where security is that important, his or her server ought to be
running HTTPS, and most browsers out there support it directly. That does not
solve the remote auth problem, however. But HTTPS seems more work than it is
worth at this point.
[1]
client side: crlogin.ihtml: http://tinyurl.com/6ysow
server side: local.inc, Example_Challenge_Auth(): http://tinyurl.com/3wvyo
--
Chris Johnson
More information about the drupal-devel
mailing list