Jonathan Vanasco wrote: > I needed to create an authentication system to handle logins to my > mod_perl app via Flash and JS > > My first thought was to use CRAM-MD5 , but there wasn't a way to do that > without relying on cookies or a db to handle the challenge > > What I came up with was a Ticketless CRAM system (that uses md5 by > default, but can be extended to use sha1 or any other digester via a > subclass that has isolated all of the digest functions )
Why is this considered "ticketless"? Isn't the challenge that you mention below really a ticket? And does the client need to present this ticket on every request? > It creates a challenge in this format: > "%(time_start)s::%(seed)s::%(checksum)s" > where checksum is > MD5( $time_start . $seed . $site_secret ) > Therefore: > the time window of validity can be controlled > there is no need to store / session stuff on the server > > Any feedback would be greatly appreciated Sounds an awful lot like mod_auth_tkt to me, or am I missing something? -- Michael Peters Developer Plus Three, LP