I couldn't figure out how to get digest authentication working with mod_auth_form, the documentation mentions it once, but offers no specifics and I was unable to guess it (I even tried looking at the source for comments that might help). Now as to why I would rather use digest authentication, I have been unsuccessful in compiling mod_session_crypto. A site that had been using Digest would obviously have the bigger concern of preserving user passwords. It happens that for the property I'm hoping to deploy mod_auth_form on the next release I have most of the passwords in both digest and htpasswd compatible formats. Based on the pace of the release cycle I don't expect an official Ubuntu package until end of October 2012, since apache httpd 2.3 isn't in Sid I can't assume a working package through Debian anytime soon. I would prefer the stronger cryptography of mod_session_crypto, or a cryptographically enhanced version of digest if one was available. Since I store both password forms in my database I can use digest now and then switch later. -----Original Message----- From: Igor Galić [mailto:i.galic@xxxxxxxxxxxxxx] Sent: Monday, December 26, 2011 7:29 AM To: users@xxxxxxxxxxxxxxxx Subject: Re: mod_auth_form and digest authentication ----- Original Message ----- > Version of Apache 2.3.15 > > The documentation for mod_auth_form says that it works with digest or > basic Actually, mod_auth_form should work with any kind of authentication system that you come up with, since it essentially gives up control to you and your application > authentication. I have it working with basic authentication from a > database, but I can't find anything about how to switch over to > digest. There are two reasons for wanting to do this, first if your > users already have passwords encrypted in digest format, second the > normal digest HTTP_AUTHORIZATION does not include the password in > clear text and would not need mod_session_crypto if that value were > used for the session. Is there a specific reason why you do not want to, or cannot use mod_session_crypto? So long, i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.galic@xxxxxxxxxxxxxx URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|