As distributed, local.inc contains an example class named Example_Challenge_Auth, which uses a Challenge-Response authentication scheme. If the client browser supports Javascript, this login screen does not transmit passwords in clear over the network. If the client does not support Javascript, login is still possible, but passwords are transmitted in clear, as regular Example_Auth always does.

Example_Challenge_Auth is there to demonstrate advanced usage of PHP and Javascript and to show off the flexibility of the library base classes: The Challenge-Response authentication scheme has been implemented completely and naturally in local.inc by subclassing Auth with no alteration of library code.

Example_Challenge_Auth includes crloginform.ihtml. It also requires that the file md5.js is present in the document root directory of your web server. That file contains an implementation of the MD5 message digest algorithm done by Henri Torgemane. The basic idea behind this authentication scheme is simple: $auth->auth_loginform() creates a challenge value which is incorporated into this form. When the user tries to submit the form, MD5("username:password:challenge") is calculated and filled into the reply field. The password field is erased. The server can calculate the expected reply from the username received, the password in the database and the challenge, which it knows. It can compare the expected reply to the actual reply value. If they match, the user is authenticated.

If the reply field is empty and password is set, the server knows that the client cannot do Javascript. The user can still be authenticated, but the password is visible on the network.

The class is a dropin-replacement for Example_Auth.