[mod_python] Question about get_basic_auth_pw()

Dominique.Holzwarth at ch.delarue.com Dominique.Holzwarth at ch.delarue.com
Mon May 26 04:43:01 EDT 2008 

Yes you're right, the password is sent to the server in plain text. But isn't the password just send only ONCE (when you log in)? Or is it stored inside a cookie and send with every request? Because the "get_basic_auth_pw()" can receive the password for every single request (not just the first one). That's why I thought it get's the data from the auth file...

The whole procedure I was thinking about is the following:
1. user provides login & pw (login screen)
2. data is sent to the client
3. pw is MD5 encrypted by apache and matched with the already encrypted pw inside the auth file
4. get_basic_auth_pw() reads the pw from the auth file

But that's not the case as it seems... Only other way I can imagine is the use of a cookie for resending the password with every request. But that's rather stupid imo... =)

Dominique

-----Original Message-----
From: Bart [mailto:scarfboy at gmail.com]
Sent: Freitag, 23. Mai 2008 17:15
To: mod_python at modpython.org
Subject: Re: [mod_python] Question about get_basic_auth_pw()

2008/5/23  <Dominique.Holzwarth at ch.delarue.com>:
> Hi all
>
> Does anyone have an idea how the function "get_basic_auth_pw()"
> manages to decrypt the user password stored as MD5 inside the
> auth-file into its clear text version?
> I'm asking cause I maybe have to convert the MD5 passwords into the
> clear texts passwords myself and wondering how this is possible as
> normaly those passwords shouldn't be decryptable (i think) and
> authentication should be done by matching 2 MD5... =)

You may be thinking of Digest HTTP authentication.
Basic HTTP authentication sends passwords in (base64'd, IIRC) plain text.

Regards,
--Bart



*****************************************************************************
This e-mail and any files attached are strictly confidential, may be legally
privileged and are intended solely for the addressee. If you are not the
intended recipient please notify the sender immediately by return email and
then delete the e-mail and any attachments immediately.

The views and or opinions expressed in this e-mail are not necessarily the
views of De La Rue plc or any of its subsidiaries and the De La Rue Group
of companies, their directors, officers and employees make no representation
about and accept no liability for its accuracy or completeness.

You should ensure that you have adequate virus protection as the De La Rue
Group of companies do not accept liability for any viruses.

De La Rue plc Registered No.3834125, De La Rue Holdings plc Registered
No 58025 and De La Rue International Limited Registered No 720284 are all
registered in England with their registered office at:
De La Rue House, Jays Close, Viables, Hampshire RG22 4BS
*****************************************************************************

More information about the Mod_python mailing list