Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.misc -> Re: Database Authentication on Webserver 3.0?
On Fri, 03 Oct 1997 20:08:40 GMT, cord_at_ragesoft.NOSPAMMERZ.com (Robert Cordingley) wrote:
>On Thu, 02 Oct 1997 14:24:03 GMT, tkyte_at_us.oracle.com (Thomas Kyte) wrote:
>
>>The way to get the passwords (and everything else in fact) sent in a secure
>>fashion is to use SSL over HTTP. If you use https instead of just http, the
>>entire conversation between the browser and the webserver will be encrypted,
>>including the HTTP headers where the username/password is sent in a base64
>>encoded string.
>
>But Tom, SSL uses a great deal more cpu power than plain ol' http and it's
>kinda overkill don't you think? There oughta be a way to throw oracle
>usernames and passwords through digest encryption.
>
>Robert
No, I personally don't think its overkill. Lots of people use SSL as a matter of fact and get excellent performance. But anyway....
I agree there should be a way to do this with digests, however, that needs to be supported in the browser (which is isn't by Netscape for example). The webserver certainly supports digest authentication but only if the browser can do it. The digest is created by the browser and sent in place of the password. If the browser refuses to create the digest, we can't do anything about it.
Thomas Kyte
tkyte_at_us.oracle.com
Oracle Government
Bethesda MD
http://govt.us.oracle.com/ -- downloadable utilities