Understanding Basic and Digest Authentication

Previous page
Table of content
Next page

You authenticate users of your website for tracking or authorization purposes. The HTTP specification provides two authentication mechanisms: basic and digest. In both cases, the process is the following:

  1. A client tries to access restricted content in the web server.

  2. Apache checks whether the client is providing a username and password. If not, Apache returns an HTTP 401 status code, indicating that user authentication is required.

  3. The client reads the response and prompts the user for the required username and password (usually with a pop-up window).

  4. The client retries accessing the web page, this time transmitting the username and password as part of the HTTP request. The client remembers the username and password and transmits them in later requests to the same site, so the user does not need to retype them for every request.

  5. Apache checks the validity of the credentials and grants or denies access based on the user identity and other access rules.

In basic authentication, the username and password are transmitted in clear text, as part of the HTTP request headers. This poses a security risk because an attacker could easily peek at the conversation between server and browser, learn the username and password, and reuse them freely afterward. Digest authentication provides increased security because it transmits a digest instead of the clear-text password. A digest algorithm is a mathematical operation that takes a text and returns another text, a digest, which uniquely identifies the original one. If a text changes, so does the digest. The digest is based on a combination of several parameters, including the username, password, and request method. The server can calculate the digest on its own and check that the client knows the password, even when the password itself is not transmitted over the network.

Unfortunately, although the specification has been available for quite some time, not all browsers support digest authentication or do it in a compatible manner.

In any case, for both digest and basic authentication, the requested information itself is transmitted unprotected over the network. A better choice to secure access to your website involves using SSL, as explained in Chapter 7.



Previous page
Table of content
Next page
Apache(c) Phrase Book(c) Essential Code and Commands
Apache Phrasebook
ISBN: 0672328364
EAN: 2147483647
Year: 2006
Pages: 254
Authors: Daniel Lopez, Jesus Blanco
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
WebLogic: The Definitive Guide
GO! with Microsoft Office 2003 Brief (2nd Edition)
PMP Practice Questions Exam Cram 2
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy