Anyone know of a pre-built solution for a Vehicle Rental company? Needs to show availability, allow users to book online etc. ASP based would be great but could probably work with PHP. I found a couple of options listed but they don't appear to be too hot. Anyone using or seen something that may do the job? Thanks, Chris. -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Ken Schaefer Sent: 28 August 2007 07:30 To: thelist at lists.evolt.org Subject: Re: [thelist] Windows WebDAV problem with authentication What about using some alternate authentication mechanism? Digest or NTLM or Kerberos spring to mind (if SSL/TLS or IPSec can not be used to secure the channel) Cheers Ken -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Hassan Schroeder Sent: Wednesday, 22 August 2007 12:13 AM To: thelist at lists.evolt.org Subject: Re: [thelist] Windows WebDAV problem with authentication On 8/20/07, Ken Schaefer <Ken at adopenstatic.com> wrote: > Question - why are you using Basic Authentication over plain HTTP? As step two in evaluating whether WebDAV is a viable option for the client? Which, given that it requires mucking with the registry, is not at this point certain... > ... why would you ask your users to deliberately make their machines > less secure than before? > > This setting does not apply to just your server. It means that anytime > the user is convinced to connect to a remote server that supports > WebDAV they may be prompted for their credentials, which would > potentially be sent in clear text 1. ? "..convinced to connect..." ? How would that work? We're talking about "Network Places" deliberately created by the user here, not something accessed through a browser from, say, a link in an email. How is that exploitable? 2. Any random Web site can "prompt for credentials" to be sent in clear text -- why is that less of a threat? But OK, for the sake of argument -- if you think that UseBasicAuth is inherently insecure -- what's the alternative? -- Hassan Schroeder ------------------------ hassan.schroeder at gmail.com -- -- * * Please support the community that supports you. * * http://evolt.org/help_support_evolt/ For unsubscribe and other options, including the Tip Harvester and archives of thelist go to: http://lists.evolt.org Workers of the Web, evolt !