Item4393: Use HTTP standard Authorization header, instead of username and password parameters
Priority: Enhancement
Current State: No Action Required
Released In: n/a
Target Release: n/a
At the moment the only way to pass authentication information to TWiki when
TemplateLogin is in use is via the username and password parameters. This is insecure, and rather hard to code for when writing, for example, REST handlers.
HTTP has a standard header,
Authorization
, that is used to pass auth information to the server when
ApacheLogin is in use. IMHO there's no reason not to use this for
TemplateLogin as well, but with the big difference of course that the header needs to be explicitly included in the request, rather than appearing automagically.
I'm setting this to Urgent because I feel it really needs to be done sooner rather than later.
--
TWiki:Main/CrawfordCurrie - 19 Jul 2007
"Urgent" would block a release, and for a pretty long time in this case, as far as I can tell.
The
Authorization
header is supplied by browsers, after they have acquired the appropriate credentials, for example a user id and a password. As far as I can tell, there's no chance to convince browsers to create this header from something as simple as a TemplateLogin HTML form.
Browsers usually ask for a user id and password if they receive a 401 status code accompanied by a
WWW-Authenticate
header, which you can both send from a CGI script. But if they do, they are using their own forms. All you can provide from your CGI is a
realm
string which can the user what his user id will be used for. So there's no chance that this will look like a TemplateLogin.
Username and password aren't really more secure when used in the
Authorization
header as compared to form parameters of a
POST
request. Both needs to be used with
HTTPS
if you are serious about security.
So I'm setting this to "Enhancement".
--
TWiki:Main.HaraldJoerg - 20 Jul 2007
sadly, apache doesn't pass on the Authorization header to CGI's - and while i have found a Rewrite thta might help, it didn't work on my system.
--
SvenDowideit - 09 Dec 2010
Setting to No Action. If Apache doesn't pass along the auth header, not much we can do.
--
Main.GeorgeClark - 05 Jan 2015 - 01:01