You are here: Re: [PHP] User redirection, passing HTTP AUTH credentials « PHP « IT news, forums, messages
Re: [PHP] User redirection, passing HTTP AUTH credentials

Posted by Dan Trainor on 10/11/66 11:25

Kristen G. Thorson wrote:
> Dan Trainor wrote:
>
>> Hello once more, all -
>>
>> I was wondering if it's at all possible to redirect a user to a remote
>> site, while passing HTTP AUTH credentials somehow.
>>
>> I've been tinkering around with making a secure login gateway, and the
>> first server that they log in to would negotiate the login sequence, but
>> the system would have to preserve HTTP USER and HTTP PASSWD to be passed
>> to the remote site, as to be backwards compatible with existing HTTP
>> AUTH-based systems.
>>
>> I'd rather not use http://user:pass@site.com, however. There's got to
>> be a different way. I understand that the user's browser is the actual
>> element in which the username and password are stored for HTTP auth. Is
>> there a way to "inject" or "update" this information without any
>> interaction from the visitor him/herself?
>>
>> Thanks again!
>> -dant
>>
>>
>>
>
> A few weeks ago, I was asked the same question, due to new M$ security
> feature:
> http://support.microsoft.com/kb/834489
>
> The authenticated site is third party and cannot change their login
> process or type, so that's why HTTP authentication cannot be turned into
> something else. The idea is that someone can make
> user:password@domain.com look like this:
>
> www.microsoft.com%01@evil.com
>
> which would make poor unsuspecting people think they were going to
> microsoft.com. The real problem is described here:
>
> http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx and
> http://support.microsoft.com/?id=833786
>
> If you hover your mouse over the link before this security update was
> applied, you should only see "www.microsoft.com", not the entire link
> url because of the %01 character. So, obviously, the whole thing has to
> be disabled!
>
> Okay, so then I looked into an AJAX-type thing, wondering if the browser
> would cache authentication if I passed it in a Javascript call. I gave
> it a shot, but kept getting script syntax errors. Apparently the same
> security update that disabled authentication in the url disabled it in
> the XMLHTTP open method:
> http://www.codingforums.com/archive/index.php/t-45348.html
>
> The workarounds MS described in 834489 (two of which are "tell them to
> enter the user name and password" and "don't do it at all". shoot me.)
> are all MS specific, and it'd be nice to find a method that would work
> on all (most) browsers.
>
> This is where I ended my research, but hopefully it will keep some other
> poor soul from having to wade through the MS knowledge base battling
> vague references to vulnerabilites and security holes. Good luck, and
> please let me know what your solution is.
>
>
> kgt
>

Kristen -

That's some very interesting research that you did there. I, too, tried
to look into a JavaScript solution and found the same problems.

I'm going to keep farting around with it here, and I'll let you know. I
don't expect to find something new, but rather, just make the whole
process that much less of a pain in the ass, of typing in a new username
and password.

Thanks
-dant

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация