Peter Hansen <[EMAIL PROTECTED]> writes: > My information about digest was either obsolete or simply wrong, as I > didn't realize it had all the nonce and anti-replay support it appears > to have. (I may have been remembering articles about how much of that > wasn't supported widely at some time in the past, meaning replays were > still quite possible in most cases. No longer sure.) Thanks for the > correction.
Digest is actually rarely used, since sites with enough security requirements to make it worthwhile generally use SSL/TLS with either basic auth, or with some login mechanism implemented by the application. Actually, HTTP authentication (basic or digest) is not used all that much in general these days, since nontrivial web apps generally prefer to do their own authentication. It was more common in the early days of the web when most pages were static. > In my own opinion, however, requiring that passwords be stored in > clear text on the server is still quite a bad thing to do. Digest auth, like basic auth, doesn't require storing the cleartext password; only a hash of the password needs to be stored. See RFC 2617 for details. -- http://mail.python.org/mailman/listinfo/python-list
