Digest::Auth / Methodology

A Perl library for Hash based authorization.



A large portion of attacks tend to be on vulrablities on the server applications themselves such as through DDOS and SQL injection, and man in the middle attacks. This module seeks to help prevent man in the middle attacks by creating one way hashes that are passed between the server and the client with time sensitive and connection oriented data to help enforce security at the application level in addition to the standard indulstry practice of a SSL and/or VPN connection for an additional layer of protection.

Through the default module behavior there is an added bonus in that the password for the user is never transmitted or stored in plain text.


When the module is initialized it creates a unique alpha numeric token of random characters made up of upper case letters, lower case letters, and numbers that is 10 characters long which would be very difficult to guess (about 1 in 430,804,206,899,405,800 or 1 in 58 to the power of 10). When the token is given out the IP address and timestamp are recorded in the sessions table.


When trying to validate / authenticate as session, users are allotted only one try to validate with any give token and you have a limited time to do so; by default only 10 minutes (see parameter validation). If you fail trying to validate for any reason you are assigned a new token and the old one is discarded. In addition to this limitation you must have the same IP address. Changing your IP address any time after you initialize (even after you become authorized) will terminate your session. By default a user is only allowed to be logged in once preventing many variaties of man in the middle attacks. After the intitialization, the token certificate and server time is sent to the user the users client browser takes inputs for their username and password. Then a client side javascript application makes a one way Hash Digest of the users userid, token, password, and server time. After this hash (SHA1 by default) is created, only the userid, token, and hash are submitted to the server for validation.

Because this module automatically detects and bans both IP addresses and usernames that have multiple attempts that are not successfull it is litterally impervious to any sort of brute force or library attack. In addition if you couple this system with a script that generates a random password via the KeyGen() method for some sort of automated signup with email validation you increase security even more so.


After the system validates the user, it sets a cookie made up of the userid and hash and stores the hash information as well as the timestamp of when the session was created and was last active. By default the module will create and enforce lockouts on IP addresses and user names to further protect the application.


Access Control is handled by a variaty of methods and parameters. I highly reccomend that you carefully consider the module objects configuration parameters to control access first and use methods to make changes second. It is easier to prevent your users from getting locked out prematurely then just perform LockExpire() after the fact.

Donate to Digest::Auth SourceForge.net Logo