Home

You've written the following in Chapter 19, one of the AuthKit chapters:
Even HTTP digest authentication which does use some encryption on the password isn't particularly secure because anyone monitoring the network traffic could simply send the encrypted digest and be able to sign onto the site themselves although they wouldn't be able to obtain the user's password so it is slightly better. Even if you are using digest authentication it is worth using SSL too.
You're sure HTTP Digests are susceptible to replay attacks? A simple MD5 hash of the password is, but a digest is much more than that, unless I've misread the spec. --me@lbruno.org

I am using AuthKit right now in a development project and attempting to have it working with IIS 5.1 and 6.0. I have two main issues with AuthKit (which no matter how I tried to solve by collecting any helpful info by http://rapid4me.com SE, still remain actual:
1. When run through the WSGI_ISAPI plugin to IIS as soon as a 403 Forbidden is encountered the webpage will return a message indicating a login is required, but it will not return the login screen that appears when I have the website hosted through paster (the exact same code is running on each). As this does not occur for paster and the WSGI will return the error I believe it is safe to assume that AuthKit is not performing correct mapping (although I'm sure I've seen 403 problem noted elsewhere as an issue, just not with the ISAPI).
2. I am unable to tell AuthKit to use a Mako template for the background for the login screen if I have my application set to form authentication (which I would much prefer over forward auth).
I would much prefer to keep using AuthKit but running under IIS is a major requirement at this point. Since I am unable to track down the author on this issue it is quite close to a show-stopper.