[users@httpd] Authentication options besides basic

[Jay Leggett <jl...@lenovo.com>]

We have an internal site that uses basic authentication and is backed by LDAP.  However, we would like to move to a more secure solution that uses a login page instead of the browser prompt for entering userid/password.  We switched to using form authentication, but it passes credentials as tokens in the session.    Is there a more secure option besides basic and form authentication?  Also, we would like for authentication to be done by the Apache web server and passed to Tomcat.

Thanks in advance for any assistance.

Jay Leggett







---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Authentication options besides basic

[Marat Khalili <mk...@rqc.ru>]

Basic authentication within SSL connection is actually pretty secure, but not very user-friendly. For instance, digest authentication is actually less secure, because it forces you to store passwords in plaintext.

Form authentication, like everything inside the webpage, is better be left to a layer above the web server. If you don't like basic authentication, you probably need to implement authentication as part of your Tomcat application.
-- 

With Best Regards,
Marat Khalili

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org