Challenge/Response authentication
Paul Rubin
phr-n2002b at NOSPAMnightsong.com
Fri Jul 26 15:31:31 EDT 2002
Dale Strickland-Clark <dale at riverhall.NOTHANKS.co.uk> writes:
> We are providing a number of forms which sit, seamlessly, inside
> client web pages. We handle the form and the data, although the
> content of the form will depend on the client - not the user of the
> browser. The client needs to identifiy and authenticate themselves on
> the URL that puts the form in the frame.
>
> The communication between our servers and the browser isn't the issue
> here.
>
> Had a quick look at HMAC
I'm not sure I understand this--where does the challenge come from?
What stops someone from intercepting and re-using the authenticating URL?
Maybe you want to read the HTTP spec for digest authentication and
do what it says. But use HMAC instead of simply appending a password
to the challenge.
More information about the Python-list
mailing list