[Live-devel] [request] WWW-Authenticate
Ross Finlayson
finlayson at live.com
Tue Sep 28 15:20:30 PDT 2004
> In future releases could you make
>UserAuthenticationDatabase::lookupPassword a virtual method?
Yes - that's a good idea. I'll do this. (In fact, I'll make
"addUserRecord()" and "removeUserRecord()" virtual also.)
>Acctually it would be a lot better if instead it would be
>something like bool authenticate( const char* username, const char*
>password ), so those using MD5 passwords ( or any other hash ) could also
>take advantage of it =)
No, unfortunately the database really needs to store a password (and the
database lookup function needs to return a password), so that the server
can compute a correct digest response string (see
"Authenticator::computeDigestResponse()" in "DigestAuthentication.cpp"). A
digest response string (which the server computes in order to compare to
the corresponding string that was sent by the client) is computed as:
md5(md5(<username>:<realm>:<password>):<nonce>:md5(<cmd>:<url>))
so the server needs to know the password in order to compute this.
Ross Finlayson
LIVE.COM
<http://www.live.com/>
More information about the live-devel
mailing list