Brad Clements wrote:
On 25 Jan 99, at 9:51, Kevin Dangoor wrote:
server. The current implementations of HTTP do not allow for long-lived connections, so the browser sends the user name and password with each request. (The browser makes it so that the user only needs to enter it once, though.)
I don't think this is entirely true. http does allow the client and server to agree to keep the connection open. You can see this happening between iexploder and iis...
Kevin's point is correct, despite how one particular browser and one particular server might maintain a persistent state. Robert is best advised to conduct his entire session via secure socket layer if the information is sensitive. Moreover, I think Robert's concern was the possible performance hit by using SSL rather than a regular socket connection. This hardly adds enough overhead to warrant dropping into an insecure session. Jeff Bauer Rubicon, Inc.