Daniel Pocock <address@hidden> writes:
What do you think if there were a hotp_validate_otp_callback() interface
that took a callback function to implement the 'strcmp' operation? Then
you could call hotp_validate_otp_callback and provide a function pointer
to your function that generates a HTTP Digest response and comparing it
with what was received by the web server?
I actually had the same idea, although it made me start thinking about
an object-oriented rewrite. However, a function pointer is probably
all that is needed.
Please test just released v1.4.0, I'm curious whether it solves your
issue.
I agree that HTTP Digest is not the most beautiful technology -
phpMyID actually creates a session cookie and then stops looking at
the digest headers. In a real HTTP digest scenario, the user would be
prompted for their token code on every GET request (for every image on
the page, for example), so I'm in no hurry to make this into a full
Apache module.
TOTP may be slightly better here, as at least the same TOTP will be
valid for (typically) 30 seconds. OTOH, you probably don't want to
enter a new TOTP every 30 seconds anyway...
However, an apache module should probably have a grace period where it
accepts an older OTP anyway, and the same could be implemented for HOTP
too.