[Live-devel] [request] WWW-Authenticate

Ross Finlayson finlayson at live.com
Wed Sep 29 17:07:09 PDT 2004


> > No, unfortunately the database really needs to store a password (and the
> > database lookup function needs to return a password), so that the server
> > can compute a correct digest response string (see
> > "Authenticator::computeDigestResponse()" in "DigestAuthentication.cpp").
>A
> > digest response string (which the server computes in order to compare to
> > the corresponding string that was sent by the client) is computed as:
> >          md5(md5(<username>:<realm>:<password>):<nonce>:md5(<cmd>:<url>))
> > so the server needs to know the password in order to compute this.
>
>It can't use a fake password then? Say, use <password> as something
>different than what the client sent to us?

No, because MD5 is a non-reversable function, the only way the server can 
verify that the digest response string (from the client) is legitimate is 
by computing its own copy of the string and comparing them.  To compute its 
own copy of the string, it needs the real password.


	Ross Finlayson
	LIVE.COM
	<http://www.live.com/>



More information about the live-devel mailing list