NYCPHP Meetup

[Paul A Houle]

    Digest authentication doesn't really work because the different 
browser and server vendors never achieved interoperability.

    If you're worried about transmissions being intercepted,  use SSL.  
Both Apache 2 and IIS have SSL built in,  so it's straightforward to 
implement.  You can spend as much as you like on an SSL certificate,  
but you can get them cheap from godaddy or sign them yourself for 
internal products with no budget.

    Note that sites like yahoo,  google,  amazon,  twitter,  ebay,  and 
digg don't use Basic Auth,  Digest Auth or any of the Auth systems built 
into the http standard.  They use the unofficial standard that's 
described in the following paper:

http://pdos.csail.mit.edu/papers/webauth:sec10.pdf