From HFB p.647, it said FORM-Based Authentication needs to use SSL or session tracking.
I think any of the auth mechanism can use the SSL or session tracking
I read somewhere that the session tracking with url rewirting is problematic ( what is problem is not mentioned , I remember), so the session tracking using cookie or session tracking bultin into SSL should be used.
Sorry but I don't think this is correct. The SSL gives more security because the encryption is good. For example BASIC won't use SSL. Secure socket layer has a built in mechanism which the container can use to track session.
I think typically for INTEGRAL or CONFIDENTIAL transport SSL is used
can be used BUT the website just continuously show up the login page (for FORM method) or popup window to request login (for BASIC and DIGEST) even the username and password are correct, right ?
Sawan metioned that the basic and form auth. use uu-encoding. But I don't think the FORM auth use uu-encoding. It is just the plain text.