]OT] http-authorization:

Don Russell fedora at drussell.dnsalias.com
Thu Dec 1 19:35:25 UTC 2005 

On 12/1/2005 11:19 AM, Les Mikesell wrote:
> On Thu, 2005-12-01 at 13:08, Don Russell wrote:
> 
>>>>I have a web appl that uses status code 401 (authorization required) to
>>>>challenge the user for an id/password. The client then responds with the
>>>>http-authorization header etc. All is well.
>>>>
>>>>But, I want to make a more 'friendly' log on page:
>>>>So, my server sends a page with status 200 (OK) with a simple form with
>>>>two fields: userid/password. (The rest of the page content is the
>>>>friendly fluff, not relevant to my problem)
>>>
>>>
>>>Usually the way this is done is to turn off basic authentication
>>>and use something cookie-based instead.  You can probably find
>>>a routine in whatever server scripting language you prefer
>>>to handle the login and checking if you don't want to write
>>>your own.  A side effect is that you can add a 'logout' button
>>>to delete the cookie where the only way to get rid of basic
>>>authentication is to shut down the browser.
>>
>>OK... thank you... that idea occurred to me, but it seems less secure. 
>>It seems like such a simple need: a way to tell the browser, "Here, use 
>>this page to prompt for the userid and password".
>>
>>It's too bad that by providing a "splash page" to log on from, that 
>>reduces the overall security of the site.. maybe I'm missing something. :-)
> 
> 
> What you are missing is that basic authentication is about
> as insecure as it gets since the login and password are passed
> in plain text on every request unless you run everything over
> https and there is no way to make a browser forget them other
> than exiting every instance.  With cookies you can be more
> creative about what you put in it, how you encode, how long
> it's valid, etc.  If security is a concern you should be
> using https anyway and cookies that only persist for the
> current session.

Yes, this is using SSL... so that should be OK. It just seems that the 
security aspects are moved to the application side of things, rather 
than the system side of things... and unless all cgis check for this 
cookie properly, there will be an exposure.

So, you're saying that https with cookies is at least equally secure as 
https with basic authentication?

As long as requests go through a cgi, I can check the cookie... but what 
if it's just a plain html document? I want to make sure the cookie is 
there/valid. (Thinking out loud.. maybe I can force all requests through 
a cgi)

I do like the "logout button" idea of deleting the cookie before it 
expires "naturally"....

Thanks,
Don

More information about the fedora-list mailing list