Google Git
Sign in
apache / httpd / 1.3.x / . / htdocs / manual / mod / mod_digest.html
blob: 1782170690da8f79bd74a7a2df3399200346d113 [file] [log] [blame]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Apache module mod_digest</title>
<style>
.obsolete
{
margin: 0;
padding: 8px 10px;
padding-left: 50px;
padding-bottom: 10px;
line-height: 1.4em;
background: #f99 url(../images/warning.png) no-repeat 0px 0px;
margin-left: auto;
margin-right: auto;
width: 35em;
}
.currentdocs
{
background: #f99;
}
</style>
</head>
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
vlink="#000080" alink="#FF0000">
<div align="CENTER">
<img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
<h3>Apache HTTP Server Version 1.3</h3>
<div class="obsolete"><p>You are looking at the documentation for the
1.3 version of the Apache HTTP Server, which is no longer
maintained, and has been declared "end of life". If you are in
fact still using the 1.3 version, <strong style="font-weight: inherit;">please consider upgrading</strong>.
The current version of the server is <a
href="http://httpd.apache.org/docs/2.4/">2.4</a>.
In the current version of the server, the equivalent of this module is now named
<a
href="http://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html"
>mod_auth_digest</a>.</p>
</div>
</div>
<h1 align="CENTER">Module mod_digest</h1>
<p>This module provides for user authentication using MD5
Digest Authentication.</p>
<p><a href="module-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="module-dict.html#SourceFile"
rel="Help"><strong>Source File:</strong></a> mod_digest.c<br />
<a href="module-dict.html#ModuleIdentifier"
rel="Help"><strong>Module Identifier:</strong></a>
digest_module<br />
<a href="module-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> Available in
Apache 1.1 and later.</p>
<h2>Summary</h2>
<p>This module implements an older version of the MD5 Digest
Authentication specification. While suitable for most modern
browsers, mod_digest is known to not work with Microsoft
Internet Explorer. Please see <a
href="mod_auth_digest.html">mod_auth_digest</a> for a module
which implements the most recent version of the standard
and does not suffer from the same limitations as mod_digest.</p>
<h2>Directives</h2>
<ul>
<li><a href="#authdigestfile">AuthDigestFile</a></li>
</ul>
<h2>Using Digest Authentication</h2>
<p>Using MD5 Digest authentication is very simple. Simply set
up authentication normally. However, use "AuthType Digest" and
"AuthDigestFile" instead of the normal "AuthType Basic" and
"AuthUserFile".</p>
<p>As to make sure that replay is not possible across
sections of the site, or across sites (assuming a realm,
userid and password are valid in that wider context) a
secret nonce prefix can be configured with the
core directive <a href="core.html#AuthDigestRealmSeed">AuthDigestRealmSeed</a>.
</p>
<p>If none if configured a sensible, but not particular
secure, default is used. When used in load balancing
situations the prefix should be shared across servers.
</p>
<p>The experimental <a href="mod_auth_digest.html">mod_auth_digest</a>
module offers a number of additinal protections against replay.
</p>
<p>Everything else should remain the same.</p>
<p>MD5 authentication provides a more secure password system,
but only works with supporting browsers. As of this writing
(December 2003) most major browsers, including
<a href="http://www.microsoft.com/windows/ie/">MS Internet Explorer</a>,
<a href="http://www.opera.com/">Opera</a>,
<a href="http://www.netscape.com/">Netscape</a>,
<a href="http://www.mozilla.org/">Mozilla</a>, and
<a href="http://www.w3.org/Amaya/">Amaya</a>,
support the Digest authentication scheme. However, of this list
MS Internet Explorer is known to be incompatable with the
older digest authentication format supported by this module.
Therefore, we do not recommend using this module on a large
Internet site. However, for personal and intra-net use, where
browser users can be controlled, it is ideal.</p>
<p>See also <a href="mod_auth_digest.html">mod_auth_digest</a>,
which is an updated version of this module, in order to determine
whether you want to use that module instead. In either case, if
you are using one, you should not use the other, as they share
some of the same configuration directives.</p>
<hr />
<h2><a id="authdigestfile"
name="authdigestfile">AuthDigestFile</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> AuthDigestFile
<em>filename</em><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> directory,
.htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Base<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_digest
<p>The AuthDigestFile directive sets the name of a textual file
containing the list of users and encoded passwords for digest
authentication. <em>Filename</em> is the absolute path to the
user file.</p>
<p>Example</p>
<code>AuthDigestFile /usr/local/apache/passwords/passwords.digest</code>
<p>The digest file uses a special format. Files in this format
can be created using the "<a href="../programs/htdigest.html">htdigest</a>"
utility found in the support/ subdirectory of the Apache distribution.</p>
<!--#include virtual="footer.html" -->
</body>
</html>