You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mark Lentczner <ma...@glyphic.com> on 2002/09/20 19:47:28 UTC
[users@httpd] Digest authentication: mod_digest vs. mod_auth_digest
Okay, I've looked all over and I can't get a clear answer:
I want to use digest authentication on my site. It seems clear from
the Apache docs that mod_auth_digest is newer than mod_digest. What
isn't clear is which I should use. I've found this much out:
==> mod_auth_digest implements the later RFC 2617, whereas I suspect
that mod_digest does the older RFC 2069.
==> mod_auth_digest is clearly marked experimental.
==> The RedHat 7.3 RPMs for Apache (apache-1.3.23-14.rpm) only include
mod_digest.
==> Various sources (Apache docs, this mailing list, usenet groups,
etc...) all claim that digest authentication is not supported by many
browsers - but most of these warnings seem either outdated, or just
echoing other outdated sources.
==> My own tests with mod_digest yield that it works with IE 5.5/WinXP,
IE 5.2/MacOSX, WebFolders/WinXP, WebDAV client/MacOSX, and
Dreamweaver/WinXP. Not bad - the only thing that didn't work was
Goliath/MacOSX.
So, I'm looking for some clear answers and advice on:
Q.: Is there a clear preference for either mod_digest or
mod_auth_digest?
Q.: Did RFC 2617 change digest authentication in a non-backward
compatible way?
Q.: More specifically, does mod_auth_digest not work with all the
browsers that work with mod_digest?
Q.: Are the warnings about lack of digest support in client software
truly outdated?
For the record, I'm running Apache 1.3 and would like to keep using the
RedHat supplied RPMs if possible, but I'm willing to compile my own if
need be. I'm actually only protecting the WebDAV access to some hosted
friends' sites with digest authentication. Hence, I don't really care
if the content is encrypted enroute: it's all just public HTML
documents anyway!
I did try the SSL/TLS route first (which I had working), but this is
actually *less* compatible: None of the web authoring tools that have
built-in WebDAV support will do it over SSL/TLS (neither will WebDAV
support in Mac OS X, though Windows' WebFolders will, as will Goliath
on Mac.) So, please don't suggest I chuck digest authentication and
just use SSL/TLS.
Thanks for any help you can shed on this...
- Mark
Mark Lentczner, CEO
Glyphic Technology
http://www.glyphic.com/
lentczner@glyphic.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Digest authentication: mod_digest vs. mod_auth_digest
Posted by Joshua Slive <jo...@slive.ca>.
I'm not an expert on this, but I can few in a few details.
Mark Lentczner wrote:
> Q.: Is there a clear preference for either mod_digest or mod_auth_digest?
mod_auth_digest is the prefered module. It is the only one included in
Apache 2.0, and the only one with recent development work.
> Q.: Did RFC 2617 change digest authentication in a non-backward
> compatible way?
Don't know.
> Q.: More specifically, does mod_auth_digest not work with all the
> browsers that work with mod_digest?
Don't know.
> Q.: Are the warnings about lack of digest support in client software
> truly outdated?
Most newer browsers work with mod_auth_digest. BUT, MSIE has a serious
bug that will prevent the use of digest auth on URIs that contain a
query string.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org