Challenge/Response authentication
Dale Strickland-Clark
dale at riverhall.NOTHANKS.co.uk
Fri Jul 26 19:25:19 EDT 2002
Paul Rubin <phr-n2002b at NOSPAMnightsong.com> wrote:
>I'm not sure I understand this--where does the challenge come from?
>
>What stops someone from intercepting and re-using the authenticating URL?
>
>Maybe you want to read the HTTP spec for digest authentication and
>do what it says. But use HMAC instead of simply appending a password
>to the challenge.
I see the process working something like this:
1. The client system calls a CGI script on our server and retrieves a
challenge string and thus initiates a session
2. The client system then constructs the frame page with its response
in the url for the frame source (among other things).
3. If authenticated, we display the requested forms (in sequence),
passing control to a pre-aranged url at the end of processing.
This isn't a sensitive application. If someone breaks into it, all
they a rewarded with is a series of forms for fill in. We just want to
limit the scope for idle buggering about.
--
Dale Strickland-Clark
Riverhall Systems Ltd
More information about the Python-list
mailing list