Making digest authentication usable for HTTP
darren at wans.net
Tue Oct 7 16:21:21 EDT 2008
My understanding of SASL digest authentication is that it is intended
to be compatible with HTTP digest authentication. However, when
experimenting with sasl-sample-server I was unable to find some
capabilities which are necessary for this purpose:
• Ability to specify different realms for password file and
authentication string. Internet Explorer and Opera try to reuse old
credentials, even after multiple authentication failures. The only way
to prevent this is to change the realm.
• Ability to specify connection method. The default SASL connection
method is Authenticate, which is not used by HTTP.
• Ability to save nonce for future requests. Retrieving a nonce value
and sending an authorization string by HTTP would be two separate
• Ability to start with client data. After receiving the nonce value,
the client sends an authentication string without waiting for a
challenge from the server.
I would prefer to use a standard tool for authentication than to
create a custom program. Are these abilities present in the Cyrus SASL
More information about the Cyrus-sasl