Feature Proposal: Change (or Add as option) Apache Digest Auth

Motivation

From the Apache docs:
It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted.

Description and Documentation

To make login into a foswiki with Apache Auth enabled more secure the Digest Authentication method should be support. This does not tranfer passwords in clear text.

Examples

Impact

WhatDoesItAffect:

%WHATDOESITAFFECT%

edit

Implementation

-- Contributors: CharlesAdicke - 09 Dec 2010

Discussion

ApacheAuth uses whatever auth method apache has configured. So it should already work with Digest, if that's how you've configured Apache. If this doesn't work, please raise an urgent bug.

Perhaps you want ApacheConfigGenerator to support digest configurations? I think that's a great idea, but probably doesn't need a feature proposal, feel free to go ahead and add it (or add a note on the page under "Wanted Improvements" Perhaps you are referring to the Foswiki documentation text; that's something we can certainly improve.

-- PaulHarvey - 09 Dec 2010

Apache has it's own variation on MD5 which is defined as ""$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password." I've already implemented it as part of ImproveHtPaswdUserFlexibility. Once that proposal is accepted I'll change this one to MergedToCore.

The impact of this particular piece is very minimal - adds an optional dependency for Crypt::DigestMD5

For now setting the date of commitment to 12 July 2011 since the work is covered under another proposal of that date.

-- GeorgeClark - 23 Jul 2011