Andrew Milton wrote:
In Digest Auth the browser 'hashes' the username and password the user enters and simply sends the hash. The webserver does the same and compares the hash to the hash sent by the browser. If they match then you're allowed in.
In Basic Auth the username and password are sent base64 encoded.
Perhaps you were confused about the password being stored encrypted ON THE WEB SERVER. The client and the server both need to agree on what they're hashing in order to get a common hash. This doesn't mean you can't store the digest hash instead of the normal password hash when creating/changing passwords.
In any case Digest Auth doesn't gain you anything if you're already on an SSL connection. It's there to prevent the password from being sent in the clear.
Ah, cool, that makes much more sense. Thanks Andrew! Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk