Somewhat OT: HTTP Authentication - Digest

Discussion in 'MCSE' started by EJ, Oct 24, 2003.

  1. EJ

    EJ Guest

    Not something an mcse absolutely has to know, but someone complained that
    there aren't any useful discussions here:

    I had a discussion yesterday with a friend about digest http authentication,
    what are your thoughts?

    A webserver serving a protected document using the digest method answers
    initial client requests with a 401 but includes an authentication challenge.
    The server generated 401 includes in the header a nonce, a random value.
    This nonce is then encrypted along with the client's user name and password
    (as well as some other data) and sent back to the server. The original nonce
    is also sent back.

    The server will then compare the client generated hash value with it's own
    calculated value.

    Question: In that calculation, does the server use the nonce sent back by
    the client or does it *remember* the nonce value it originally sent? The
    point why I ask, that would make it a stateful protocol..

    If the server does not remember the original nonce value, then the purpose
    of the nonce is simply to enable the client to send a different hash value
    with every request, even if the same URL is requested over and over again.
    That's a good reason for it to exist, but then why does the server generate
    and send it in the first place? The client could just generate the nonce
    itself..

    If the server does remember, it would enable the server to control the
    maximum time the client has to authenticate, among other stuff..

    Some of those goals are mentioned in RFC 2617 but to us it was not clear if
    those requests are realized in http 1.0..
    EJ, Oct 24, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,078
  2. Scott
    Replies:
    1
    Views:
    8,852
    ScottF
    Aug 4, 2004
  3. =?iso-8859-1?Q?Frisbee=AE?=

    Somewhat OT: Br@indumper bites dust

    =?iso-8859-1?Q?Frisbee=AE?=, Oct 7, 2004, in forum: MCSE
    Replies:
    8
    Views:
    476
    Mike T.
    Oct 8, 2004
  4. Mike Bromwich
    Replies:
    0
    Views:
    698
    Mike Bromwich
    Oct 3, 2004
  5. milan_9211

    HTTP SOAP/HTTP GET/HTTP POST

    milan_9211, Jan 10, 2011, in forum: Software
    Replies:
    0
    Views:
    3,059
    milan_9211
    Jan 10, 2011
Loading...

Share This Page