passwords to CGI

Andrew Clover and-google at doxdesk.com
Wed Jan 15 16:52:36 CET 2003


Will Stuyvesant <hwlgw at hotmail.com> wrote:

> Is there a way to encrypt a password before it is sent?

  A. Use SSL.
  B. Use HTTP Digest Authentication.
  C. Use client-side scripting to hash the password.

(A) is good, but implies the hassle of getting certificates, and
an HTTPS server if you are not already using one.

(B) is great, but is not well-supported by user agents. (read:
no-go on Internet Explorer)

(C) is effective but requires the user to have JavaScript enabled.

I usually end up (on non-SSL sites) using a hybrid authentication
scheme where a script on the page generates an MD5 hash of the
password entered and puts it in a cookie. If the authentication-
required page(s) don't see a valid login cookie they fall back to
using HTTP Basic Authentication.

Can send you client JavaScript and server Python code that implements
this if it might help.

-- 
Andrew Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/




More information about the Python-list mailing list