HTTP digest in javascript. md5 recalculation for new uri

162 views Asked by At

I write client side javascript implementation of digest authorization and I ran into trouble. After a successful login I put authorization header parameters into cookie for the nest request. But if uri is changed md5 hash becomes invalid. I could recalculate Authorization, but I have no clear text password already. I suppose that browser implementation makes this recalculation. Am I right? If that is true what can I do? To store clear text password in variable is not good idea for security reasons.

1

There are 1 answers

0
user3414982 On

I found a half solution. response md5 hash is calculated as a combination of two hashes: ha1 and ha2. ha1 depends on username, realm and password. ha2 depends on method and uri. So I can store ha1 in the local storage of a browser and use it in response recalculation. This way doesn't solve the origin problem, but it makes impossible for malefactor to recalculate response for other realms.