[mod_python] Question about get_basic_auth_pw()

Graham Dumpleton graham.dumpleton at gmail.com
Mon May 26 05:48:55 EDT 2008 

There is no MD5 or cookies involved. As already pointed out it is
base64 only and it gets sent by the browser on every request.

See:

  http://www.ietf.org/rfc/rfc2617.txt

Graham

2008/5/26  <Dominique.Holzwarth at ch.delarue.com>:
> Yes you're right, the password is sent to the server in plain text. But isn't the password just send only ONCE (when you log in)? Or is it stored inside a cookie and send with every request? Because the "get_basic_auth_pw()" can receive the password for every single request (not just the first one). That's why I thought it get's the data from the auth file...
>
> The whole procedure I was thinking about is the following:
> 1. user provides login & pw (login screen)
> 2. data is sent to the client
> 3. pw is MD5 encrypted by apache and matched with the already encrypted pw inside the auth file
> 4. get_basic_auth_pw() reads the pw from the auth file
>
> But that's not the case as it seems... Only other way I can imagine is the use of a cookie for resending the password with every request. But that's rather stupid imo... =)
>
> Dominique
>
> -----Original Message-----
> From: Bart [mailto:scarfboy at gmail.com]
> Sent: Freitag, 23. Mai 2008 17:15
> To: mod_python at modpython.org
> Subject: Re: [mod_python] Question about get_basic_auth_pw()
>
> 2008/5/23  <Dominique.Holzwarth at ch.delarue.com>:
>> Hi all
>>
>> Does anyone have an idea how the function "get_basic_auth_pw()"
>> manages to decrypt the user password stored as MD5 inside the
>> auth-file into its clear text version?
>> I'm asking cause I maybe have to convert the MD5 passwords into the
>> clear texts passwords myself and wondering how this is possible as
>> normaly those passwords shouldn't be decryptable (i think) and
>> authentication should be done by matching 2 MD5... =)
>
> You may be thinking of Digest HTTP authentication.
> Basic HTTP authentication sends passwords in (base64'd, IIRC) plain text.
>
> Regards,
> --Bart
>
>
>
> *****************************************************************************
> This e-mail and any files attached are strictly confidential, may be legally
> privileged and are intended solely for the addressee. If you are not the
> intended recipient please notify the sender immediately by return email and
> then delete the e-mail and any attachments immediately.
>
> The views and or opinions expressed in this e-mail are not necessarily the
> views of De La Rue plc or any of its subsidiaries and the De La Rue Group
> of companies, their directors, officers and employees make no representation
> about and accept no liability for its accuracy or completeness.
>
> You should ensure that you have adequate virus protection as the De La Rue
> Group of companies do not accept liability for any viruses.
>
> De La Rue plc Registered No.3834125, De La Rue Holdings plc Registered
> No 58025 and De La Rue International Limited Registered No 720284 are all
> registered in England with their registered office at:
> De La Rue House, Jays Close, Viables, Hampshire RG22 4BS
> *****************************************************************************
>
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
>

More information about the Mod_python mailing list