Digest Authentication for Jigsaw


Digest Authentication is another method of authenticating a user over the web. Most servers and clients currently support Basic Authorization. Most are familiar with this scheme where the server returns with an Unauthorized header and the user is provided with a dialog box to type in the user's username and password. The grave security problem with this scheme is that the user's credentials are transmitted in the open across the wire to the server so that anyone listening gains instant access to all material available with those credentials. Digest Authentication encrypts the credentials along with a server generated nonce that gurantees that the user is who he says he or she is. Then the server recreates the encrypted credentials and sees if they match up. This way, authorization is completed without sending across a password in the clear.

This page has links to the following information about the Digest Authentication filter:

Author's Comments

(Mail feedback to achakra@w3.org)
This is the first release of the Digest Authentication filter. Somethings involved are going to definitely be changed. Storage of nonces are going to be made more efficient as is the sorting/lookup of them also. The entire design will probably move to more modularity. Lastly, options will be added so that the Administrator can decide on the nonce lifetime and how secure he wants the authentication to be (ie at the expense of the server resources).


Information is limited since the API wasn't created along with the entire Jisgaw package. For this reason, all packages, Hierarchy, and Index was left out.
This page is maintained by
Anit Chakraborty
Please mail feedback to achakra@w3.org
Last updated 27 June 1996