Steve Holden <[EMAIL PROTECTED]> writes: > Underlining your point, the difference between the two is that digest > offers *strong* authentication (i.e. is not subject to replay attacks)
As I mentioned in another post, that's really not enough, since digest still exposes the password hash to offline dictionary attacks, which are sure to nab some passwords if you have a lot of users being sniffed and you don't impose severe amounts of password discipline on them. There's also usually no way to log out from an http authenticated session except by completely closing the browser. All in all, if you have nontrivial security requirements there's not much point in using Digest. Use form-based authentication over SSL/TLS instead. Make sure that the application locks out the user account (at least temporarily) after too many failed login attempts, something http authentication implementations that I know of don't bother to do. For higher security applications (e.g. extranets, admin interfaces, etc), use client certificates on hardware tokens. -- http://mail.python.org/mailman/listinfo/python-list
