Python Scripts to logon to websites

[Paul Rubin]

Peter Hansen <peter at engcorp.com> writes:
> My information about digest was either obsolete or simply wrong, as I
> didn't realize it had all the nonce and anti-replay support it appears
> to have.  (I may have been remembering articles about how much of that
> wasn't supported widely at some time in the past, meaning replays were
> still quite possible in most cases.  No longer sure.)  Thanks for the
> correction.

Digest is actually rarely used, since sites with enough security
requirements to make it worthwhile generally use SSL/TLS with either
basic auth, or with some login mechanism implemented by the
application.  Actually, HTTP authentication (basic or digest) is not
used all that much in general these days, since nontrivial web apps
generally prefer to do their own authentication.  It was more common
in the early days of the web when most pages were static.

> In my own opinion, however, requiring that passwords be stored in
> clear text on the server is still quite a bad thing to do.

Digest auth, like basic auth, doesn't require storing the cleartext
password; only a hash of the password needs to be stored.  See RFC
2617 for details.