[APACHE DOCUMENTATION]

Apache HTTP Server Version 1.3

  • el
  • pt
  • Module mod_digest

    This module provides for user authentication using MD5 Digest Authentication.

    Status: Extension
    Source File: mod_digest.c

    Module Identifier: digest_module
    Compatibility: Available in Apache 1.1 and later.

    Summary

    This module implements an older version of the MD5 Digest Authentication specification. While suitable for most modern browsers, mod_digest is known to not work with Microsoft Internet Explorer. Please see mod_auth_digest for a module which implements the most recent version of the standard and does not suffer from the same limitations as mod_digest.

    Directives

    Using Digest Authentication

    Using MD5 Digest authentication is very simple. Simply set up authentication normally. However, use "AuthType Digest" and "AuthDigestFile" instead of the normal "AuthType Basic" and "AuthUserFile".

    As to make sure that replay is not possible across sections of the site, or across sites (assuming a realm, userid and password are valid in that wider context) a secret nonce prefix can be configured with the core directive AuthDigestRealmSeed.

    If none if configured a sensible, but not particular secure, default is used. When used in load balancing situations the prefix should be shared across servers.

    The experimental mod_auth_digest module offers a number of additinal protections against replay.

    Everything else should remain the same.

    MD5 authentication provides a more secure password system, but only works with supporting browsers. As of this writing (December 2024) most major browsers, including MS Internet Explorer, Opera, Netscape, Mozilla, and Amaya, support the Digest authentication scheme. However, of this list MS Internet Explorer is known to be incompatable with the older digest authentication format supported by this module. Therefore, we do not recommend using this module on a large Internet site. However, for personal and intra-net use, where browser users can be controlled, it is ideal.

    See also mod_auth_digest, which is an updated version of this module, in order to determine whether you want to use that module instead. In either case, if you are using one, you should not use the other, as they share some of the same configuration directives.


    AuthDigestFile directive

    Syntax: AuthDigestFile filename
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Base
    Module: mod_digest

    The AuthDigestFile directive sets the name of a textual file containing the list of users and encoded passwords for digest authentication. Filename is the absolute path to the user file.

    Example

    AuthDigestFile /usr/local/apache/passwords/passwords.digest

    The digest file uses a special format. Files in this format can be created using the "htdigest" utility found in the support/ subdirectory of the Apache distribution.


    Apache HTTP Server Version 1.3

    Index Home