Comments on: Request for Comments: Challenge-Response Digest Authentication for webapps? http://stuartl.longlandclan.yi.org/blog/2007/03/24/request-for-comments-challenge-response-digest-authentication-for-webapps/ The life and times of Stuart Longland (VK4MSL) Tue, 10 Jan 2012 21:20:44 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Redhatter http://stuartl.longlandclan.yi.org/blog/2007/03/24/request-for-comments-challenge-response-digest-authentication-for-webapps/comment-page-1/#comment-326 Redhatter Wed, 28 Mar 2007 00:10:18 +0000 http://stuartl.longlandclan.hopto.org/blog/2007/03/24/request-for-comments-challenge-response-digest-authentication-for-webapps/#comment-326 Indeed, forcing JavaScript on users is definitely wrong. That said, it is possible to use a scheme like this whilst providing a transparent fallback to more traditional mechanisms when JavaScript is not available. Basically the aim of this is; if the client can do JavaScript, utilise this feature to improve security. Otherwise, fall back to basic authentication, perhaps warning the user that their password will be sent in the clear. This can be easily achieved through a hidden field, modified by the client-side JavaScript, that tells the CGI app which method of authentication is in use. If JavaScript is disabled, the hidden field will remain at its default value, and the webapp can assume basic auth. If it has been modified, it can try CRDA. Indeed, forcing JavaScript on users is definitely wrong. That said, it is possible to use a scheme like this whilst providing a transparent fallback to more traditional mechanisms when JavaScript is not available.

Basically the aim of this is; if the client can do JavaScript, utilise this feature to improve security. Otherwise, fall back to basic authentication, perhaps warning the user that their password will be sent in the clear.

This can be easily achieved through a hidden field, modified by the client-side JavaScript, that tells the CGI app which method of authentication is in use. If JavaScript is disabled, the hidden field will remain at its default value, and the webapp can assume basic auth. If it has been modified, it can try CRDA.

]]> By: stuherbert http://stuartl.longlandclan.yi.org/blog/2007/03/24/request-for-comments-challenge-response-digest-authentication-for-webapps/comment-page-1/#comment-325 stuherbert Tue, 27 Mar 2007 16:04:46 +0000 http://stuartl.longlandclan.hopto.org/blog/2007/03/24/request-for-comments-challenge-response-digest-authentication-for-webapps/#comment-325 Sorry, but any scheme that relies on Javascript on the client is fundamentally flawed. Javascript isn't available on the browsers used by many disabled users, and in the UK it's illegal to discriminate against disabled users. Best regards, Stu Sorry, but any scheme that relies on Javascript on the client is fundamentally flawed. Javascript isn’t available on the browsers used by many disabled users, and in the UK it’s illegal to discriminate against disabled users.

Best regards,
Stu

]]>