I write client side javascript implementation of digest authorization and I ran into trouble. After a successful login I put authorization header parameters into cookie for the nest request. But if uri is changed md5 hash becomes invalid. I could recalculate Authorization, but I have no clear text password already. I suppose that browser implementation makes this recalculation. Am I right? If that is true what can I do? To store clear text password in variable is not good idea for security reasons.
Asked
Active
Viewed 140 times
0
-
Can't you hash by domain? You haven't really provided any technical details of your implementation. – Etheryte Nov 27 '14 at 14:38
-
Domain (realm) is used in hash calculation, but how it helps me? I skip irrelevant details. What technical details are required? I saw (for native browser implementation) that `response` parameter in `Authorization` header for request to new uri differs from previous one. I supposed that browser stores clear text password and uses it in hash recalculation. My main question is: Is it true? – user3414982 Nov 28 '14 at 08:48
1 Answers
0
I found a half solution. response md5 hash is calculated as a combination of two hashes: ha1 and ha2. ha1 depends on username, realm and password. ha2 depends on method and uri. So I can store ha1 in the local storage of a browser and use it in response recalculation. This way doesn't solve the origin problem, but it makes impossible for malefactor to recalculate response for other realms.
user3414982
- 357
- 1
- 4
- 15