zope zserver support for Digest authentication
Ng Pheng Siong
ngps at madcap.netmemetic.com
Sun Jan 13 11:18:23 EST 2002
According to Paul Rubin <phr-n2002a at nightsong.com>:
> A lot of browsers still don't support digest auth, so it's unadvisable
> for servers to depend on it. Digest auth was a worthwhile idea for
> about 5 minutes, before there were free SSL servers and fast enough
> computers to not get strained by SSL session negotiation. These days,
> it's preferable to use HTTPS instead of HTTP if you need security.
Take a look at AuthCookie in my just-released snapshot of M2Crypto. This
module allows you to create and verify unforgeable HMAC'ing cookies. (Based
on the scheme described at http://cookies.lcs.mit.edu/.)
AuthCookie occupies a useful position between clear-text basic
authentication and full-blown HTTPS.
For those who think cookies are no good, you can easily use an AuthCookie's
output in a hidden field in your HTML. ;-)
As usual, M2Crypto is here:
http://www.post1.com/home/ngps/m2/
Cheers.
--
Ng Pheng Siong <ngps at netmemetic.com> * http://www.netmemetic.com
More information about the Python-list
mailing list