On Nov 13, 2007 1:57 PM, Jonathan Vanasco <[EMAIL PROTECTED]> wrote: > client: Hey I want to log in! > server: Here's a Challenge: $time. $seed . digest ($time . $seed . > $site_secret ) > client: Here is my username and a hash that is Digest( password , > server_challenge ) > server: I looked up your username in the db , and the password is > 'abc' . if i hash the stored password with the server_challenge I > sent you, i get the hash you send me. i will log you in now.
I would call it challenge-response then, not ticketless. But what happens next? The server sends a cookie of some sort and the client returns it on every request? Otherwise, you have to do this tango every time. I guess I don't really see what this saves you over typical auth ticket systems, unless you're unable to use SSL for the login request. - Perrin
