[Zope] SSL & Digest Auth

Chris Withers chris at simplistix.co.uk
Fri Feb 17 04:11:08 EST 2006


Andrew Milton wrote:
> In Digest Auth the browser 'hashes' the username and password the user enters and simply 
> sends the hash. The webserver does the same and compares the hash to the 
> hash sent by the browser. If they match then you're allowed in.
> 
> In Basic Auth the username and password are sent base64 encoded.
> 
> Perhaps you were confused about the password being stored encrypted ON THE WEB
> SERVER. The client and the server both need to agree on what they're hashing
> in order to get a common hash. This doesn't mean you can't store the digest
> hash instead of the normal password hash when creating/changing passwords.
> 
> In any case Digest Auth doesn't gain you anything if you're already on an SSL
> connection. It's there to prevent the password from being sent in the clear.

Ah, cool, that makes much more sense.

Thanks Andrew!

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk



More information about the Zope mailing list