|
Posted by Dan Trainor on 10/06/66 11:25
Kristen G. Thorson wrote:
> Dan Trainor wrote:
>
>> Hello once more, all -
>>
>> I was wondering if it's at all possible to redirect a user to a remote
>> site, while passing HTTP AUTH credentials somehow.
>>
>> I've been tinkering around with making a secure login gateway, and the
>> first server that they log in to would negotiate the login sequence, but
>> the system would have to preserve HTTP USER and HTTP PASSWD to be passed
>> to the remote site, as to be backwards compatible with existing HTTP
>> AUTH-based systems.
>>
>> I'd rather not use http://user:pass@site.com, however. There's got to
>> be a different way. I understand that the user's browser is the actual
>> element in which the username and password are stored for HTTP auth. Is
>> there a way to "inject" or "update" this information without any
>> interaction from the visitor him/herself?
>>
>> Thanks again!
>> -dant
>>
>>
>>
>
> A few weeks ago, I was asked the same question, due to new M$ security
> feature:
> http://support.microsoft.com/kb/834489
>
> The authenticated site is third party and cannot change their login
> process or type, so that's why HTTP authentication cannot be turned into
> something else. The idea is that someone can make
> user:password@domain.com look like this:
>
> www.microsoft.com%01@evil.com
>
> which would make poor unsuspecting people think they were going to
> microsoft.com. The real problem is described here:
>
> http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx and
> http://support.microsoft.com/?id=833786
>
> If you hover your mouse over the link before this security update was
> applied, you should only see "www.microsoft.com", not the entire link
> url because of the %01 character. So, obviously, the whole thing has to
> be disabled!
>
> Okay, so then I looked into an AJAX-type thing, wondering if the browser
> would cache authentication if I passed it in a Javascript call. I gave
> it a shot, but kept getting script syntax errors. Apparently the same
> security update that disabled authentication in the url disabled it in
> the XMLHTTP open method:
> http://www.codingforums.com/archive/index.php/t-45348.html
>
> The workarounds MS described in 834489 (two of which are "tell them to
> enter the user name and password" and "don't do it at all". shoot me.)
> are all MS specific, and it'd be nice to find a method that would work
> on all (most) browsers.
>
> This is where I ended my research, but hopefully it will keep some other
> poor soul from having to wade through the MS knowledge base battling
> vague references to vulnerabilites and security holes. Good luck, and
> please let me know what your solution is.
>
>
> kgt
>
Kristen -
That's some very interesting research that you did there. I, too, tried
to look into a JavaScript solution and found the same problems.
I'm going to keep farting around with it here, and I'll let you know. I
don't expect to find something new, but rather, just make the whole
process that much less of a pain in the ass, of typing in a new username
and password.
Thanks
-dant
[Back to original message]
|