I have a simple question: Is it possible to use Digest-Authentication with a XMLHTTPRequest?
If the answer is no, what's the technical reason? Or if it is possible - how can I do that?
Thanks a lot … google has no good answer so far :-/
EDIT:
Thanks for the answers. Modifying the header to match the digest authentication-scheme, after a nonce has been received, seems to be a solution.
But what I was really looking for was that I could change my current call: xmlhttp.open("GET", url, false, username, password); to sth. like that xmlhttp.open("GET", url, false, username, password, "DIGEST");
That’s also part of my initial question: Why does the open-method not offer the option to make a digest-request?
Maybe there is js-lib one could recommend that lets me do that - as you imagine I don't really want to change the one and simple xmlhttp.open to multiple requests and first get a nonce.
You can do it no problem. Just follow the parts of the specs you feel like ;)
https://www.rfc-editor.org/rfc/rfc2617
and is all you are missing to start writing your authentication library
http://pajhome.org.uk/crypt/md5/
on the client side.
pre-exchange user name and password
Hey I want to authenticate ----> server
Ok here is a nonce/salt ----> client
here is a md5 hash sum of my username password timestamp and the salt -----> server
I just hased up your password and username the same way you did and they are the same ----->client
Those are the basics of it.
I left out that you need to include the URI of the requested resource in the hashsum!!!!
Of course you do this with every request you make for a resource to the server that way some one intercepting the hash could only view the content you requested and could not make a request for a miscellaneous resource.This method does not secure the data just access to it.