oath-toolkit-help
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-toolkit-help] HOTP in HTTP Digest

From: Simon Josefsson
Subject: Re: [OATH-toolkit-help] HOTP in HTTP Digest
Date: Sat, 15 Jan 2011 09:19:29 +0100
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.2 (gnu/linux) 
Daniel Pocock <address@hidden> writes:

>> What do you think if there were a hotp_validate_otp_callback() interface
>> that took a callback function to implement the 'strcmp' operation?  Then
>> you could call hotp_validate_otp_callback and provide a function pointer
>> to your function that generates a HTTP Digest response and comparing it
>> with what was received by the web server?
>>   
> I actually had the same idea, although it made me start thinking about
> an object-oriented rewrite.  However, a function pointer is probably
> all that is needed.

Please test just released v1.4.0, I'm curious whether it solves your
issue.

> I agree that HTTP Digest is not the most beautiful technology -
> phpMyID actually creates a session cookie and then stops looking at
> the digest headers.  In a real HTTP digest scenario, the user would be
> prompted for their token code on every GET request (for every image on
> the page, for example), so I'm in no hurry to make this into a full
> Apache module.

TOTP may be slightly better here, as at least the same TOTP will be
valid for (typically) 30 seconds.  OTOH, you probably don't want to
enter a new TOTP every 30 seconds anyway...

However, an apache module should probably have a grace period where it
accepts an older OTP anyway, and the same could be implemented for HOTP
too.

/Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]