[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-toolkit-help] HOTP in HTTP Digest
From: |
Simon Josefsson |
Subject: |
Re: [OATH-toolkit-help] HOTP in HTTP Digest |
Date: |
Sat, 15 Jan 2011 09:19:29 +0100 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.2 (gnu/linux) |
Daniel Pocock <address@hidden> writes:
>> What do you think if there were a hotp_validate_otp_callback() interface
>> that took a callback function to implement the 'strcmp' operation? Then
>> you could call hotp_validate_otp_callback and provide a function pointer
>> to your function that generates a HTTP Digest response and comparing it
>> with what was received by the web server?
>>
> I actually had the same idea, although it made me start thinking about
> an object-oriented rewrite. However, a function pointer is probably
> all that is needed.
Please test just released v1.4.0, I'm curious whether it solves your
issue.
> I agree that HTTP Digest is not the most beautiful technology -
> phpMyID actually creates a session cookie and then stops looking at
> the digest headers. In a real HTTP digest scenario, the user would be
> prompted for their token code on every GET request (for every image on
> the page, for example), so I'm in no hurry to make this into a full
> Apache module.
TOTP may be slightly better here, as at least the same TOTP will be
valid for (typically) 30 seconds. OTOH, you probably don't want to
enter a new TOTP every 30 seconds anyway...
However, an apache module should probably have a grace period where it
accepts an older OTP anyway, and the same could be implemented for HOTP
too.
/Simon