[Live-devel] [request] WWW-Authenticate
Ross Finlayson
finlayson at live.com
Wed Sep 29 17:24:49 PDT 2004
> > No, unfortunately the database really needs to store a password (and the
> > database lookup function needs to return a password), so that the server
> > can compute a correct digest response string (see
> > "Authenticator::computeDigestResponse()" in "DigestAuthentication.cpp").
>A
> > digest response string (which the server computes in order to compare to
> > the corresponding string that was sent by the client) is computed as:
> > md5(md5(<username>:<realm>:<password>):<nonce>:md5(<cmd>:<url>))
> > so the server needs to know the password in order to compute this.
>
>It can't use a fake password then? Say, use <password> as something
>different than what the client sent to us?
A follow-up to my earlier message. One thing that the 'user authentication
database' *could* do, instead of returning the actual password, is return
md5(<username>:<realm>:<password>)
That would allow the server to avoid having to store actual passwords
(which will give some protection in case the server database is leaked).
I will first need to update the "DigestAuthentication" code to support the
option of handling 'passwords' that are really
'md5(<username>:<realm>:<password>)'. I'll let you know when I've done this.
Ross Finlayson
LIVE.COM
<http://www.live.com/>
More information about the live-devel
mailing list