You are here: Foswiki>Tasks Web>Item4393 (05 Jan 2015, GeorgeClark)Edit Attach

Item4393: Use HTTP standard Authorization header, instead of username and password parameters

pencil
Priority: Enhancement
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component: FoswikiUILogin
Branches:
Reported By: TWiki:Main.CrawfordCurrie
Waiting For:
Last Change By: GeorgeClark
At the moment the only way to pass authentication information to TWiki when TemplateLogin is in use is via the username and password parameters. This is insecure, and rather hard to code for when writing, for example, REST handlers.

HTTP has a standard header, Authorization, that is used to pass auth information to the server when ApacheLogin is in use. IMHO there's no reason not to use this for TemplateLogin as well, but with the big difference of course that the header needs to be explicitly included in the request, rather than appearing automagically.

I'm setting this to Urgent because I feel it really needs to be done sooner rather than later.

-- TWiki:Main/CrawfordCurrie - 19 Jul 2007

"Urgent" would block a release, and for a pretty long time in this case, as far as I can tell.

The Authorization header is supplied by browsers, after they have acquired the appropriate credentials, for example a user id and a password. As far as I can tell, there's no chance to convince browsers to create this header from something as simple as a TemplateLogin HTML form.

Browsers usually ask for a user id and password if they receive a 401 status code accompanied by a WWW-Authenticate header, which you can both send from a CGI script. But if they do, they are using their own forms. All you can provide from your CGI is a realm string which can the user what his user id will be used for. So there's no chance that this will look like a TemplateLogin.

Username and password aren't really more secure when used in the Authorization header as compared to form parameters of a POST request. Both needs to be used with HTTPS if you are serious about security.

So I'm setting this to "Enhancement".

-- TWiki:Main.HaraldJoerg - 20 Jul 2007

sadly, apache doesn't pass on the Authorization header to CGI's - and while i have found a Rewrite thta might help, it didn't work on my system.

-- SvenDowideit - 09 Dec 2010

Setting to No Action. If Apache doesn't pass along the auth header, not much we can do.

-- Main.GeorgeClark - 05 Jan 2015 - 01:01

ItemTemplate edit

Summary Use HTTP standard Authorization header, instead of username and password parameters
ReportedBy TWiki:Main.CrawfordCurrie
Codebase
SVN Range TWiki-4.1.2, Thu, 19 Jul 2007, build 14438
AppliesTo Engine
Component FoswikiUILogin
Priority Enhancement
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release01x01Checkins
Topic revision: r4 - 05 Jan 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy