Thanks Marco. That clears up my questions.

Albert

>Hi Albert,
>
>*** I assume the "DB" in the next line is the server side database, correct?
>yes, the server ( web service ) receives this and saves only the user & password hash
>
>*** what gets returned to the client at this point? or is there something returned?
>only a operation status.. a simple "http 200 ok" with operation succed or password changed if all went ok.
>
>
>*** is there anything passed above that a man in the middle attack could grab and impersonate the client?
>
>the above procedure only covers the initial authentication process, and prevents the user password from traveling or being "saved as is" on the server. There's the improved digest authentication , wich enforces a sequence control , short expiration and signing of all the http messages with a similar procedure , but it only makes it harder to hack the conversation. Only TLS can protect against man in the middle attacks.