On Wed, Sep 14, 2011 at 6:40 PM, Stephan Beal <sgb...@googlemail.com> wrote:
> Hi, all!
> Just implemented...
> Request:
> GET: /json/login?n=name&p=pass
> Param names "n" and "p" are for compatibility with the current usage, and
> may optionally be written out as "name" and "password".
> or POST: /json/login
> POST request body: { "payload":{"name":"...", "password":"..."} }
> (POSTed login data doesn't land in the apache logs, so it's highly
> preferred!)For the password on GET, you could mimic what HTTP-Auth-Digest does. Instead of sending the password in plain text, you hash the password with a nonce received from the server. Of course, to get the nonce, you have to attempt to login without supplying credentials. The server would then respond with a payload containing the nonce to use in the hash. One way to generate the nonce would be to concatenate the date, time, IP address and a random number, then hash the result. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
