How does Digest Authentication differ from Basic Authentication other than sending credentials as plain text?

The only difference, as far as I know, is that it doesn’t requires sending the username and password across the wire in plaintext.

The server gives the client a one-time use string (a nonce) that it combines with the username, realm, password and the URI request. The client runs all of those fields through an MD5 hashing method to produce a hash key.

It sends this hash key to the server along with the username and the realm to attempt to authenticate.

Server-side the same method is used to generate a hashkey, only instead of using the password typed in to the browser the server looks up the expected password for the user from its user DB. It looks up the stored password for this username, runs in through the same algorithm and compares it to what the client sent. If they match: access is granted, otherwise it can send back an 401 request to have the user retry or an access denied error (I forget the code sorry).

http://stackoverflow.com/questions/2384230/what-is-digest-authentication – Original Link. Good answer.

Advertisements