Logo  

CS479/579 - Web Programming II

Web Authentication

HTTP Basic Authentication (Basic):

The simplest method of authentication a session uses fields in the HTTP header to perform the authentication. This is not secure if not using HTTPS (encrypted HTTP) since the credentials (user-name and password) are only Base64 encoded, there is no key exchange, etc. Preferably you should force HTTPS prior to the authentication step.

It does have the benefit that it is built into the server/browser, making implementation fairly easy.

The Basic Authentication (BA) header is sent by the browser to authenticate each page, the duration the browser choose to do this (it's caching policy) is defined by the browser (examples could be 15 minutes or until the browser is closed.) The protocol has no means to "logout" an authenticated browser.

Login credentials can be transferred in the URL via URL encoding:

https://username:password@www.example.com/index.html

In Apache to setup Basic Auth:

Create a .htaccess file, which may contain among other lines, at the root of the path you wish to only allow authenticated access:

Example .htaccess file

# Path to the .htpasswd file that contains usernames and passwords, should
# be stored in a location that is not browsable (i.e. outside of the document
# root)  You must use an absolute path to this file.

AuthUserFile /some/safedirectory/.htpasswd

# Path to a group file (group usernames and passwords)

AuthGroupFile /dev/null

# What to say when the user is prompted for the username and password, can say
# anything, but should give a hint as to what they're logging into:

AuthName "Please Enter Password"

# Type of authentication mechanism, one of: Basic, Digest or Form.  We'll use
# Basic for now:

AuthType Basic

# Requires that someone be successfully logged in to access these pages.
# Alternatively could be "require user <username>" to require a specific user.

Require valid-user


To generate the .htpasswd file you can use the command line 'htpasswd' utility:

htpasswd [-c] [-i] [-m] path-to-.htpasswd username`

-c Create the .htpasswd file it doesn't exist, re-create it if it does.
-i Read the password from stdin w/o verification (useful for script use)
-m Use MD5 hashes (the default)

Example:

htpasswd -c .htpasswd sbaker

The .htaccess and .htpasswd files must be readable by the web server, but don't need to be readable by anyone else. You may consider "securing" them with ACL's or the like.

setfacl -m u:apache:r .htaccess .htpasswd

HTTP Digest Authentication (Digest)

Doesn't transfer the password in cleartext, but uses MD5 digest auth. Apparently not anymore secure than Basic Authentication since man-in-the-middle attacks may easily force it to back to Basic Authentication. Also the way passwords are stored on the server was insecure.

HTTP Form Authentication (Form)

Allows you to use a HTML form to facilitate the authentication. Requires additional modules (mod_auth_form) and (mod_session_cookie)

Cookies:

We use cookies to maintain state between the browser and the server. Cookies are in the form of name/value pairs.

bool setcookie(string $name [, string $value = "" [, int $expire = 0 [, string $path = ""
    [, string $domain = "" [, bool $secure = false [, bool $httponly = false ]]]]]])

$name Name of the cookie
$value Value is stored on the browser side. Do not put sensitive information in the value.
$expire The time the cookie expires in seconds since the epoch. 0 = expire at end of browser session. time()+60*60*24*30 = 30 days
$path The path on the server to which this cookie will be available. / = entire domain. Default is the current directory.
$domain The domain the cookie is available to.
$secure Should only be transferred over HTTPS when this is true.
$httponly When true the cookie is only available via the HTTP protocol and won't be available to JavaScript. May help prevent Cross Site Scripting (XSS) vulnerabilities.


Cookies that have been set are available via the PHP $_COOKIE super-global. Note: Dots (.) and spaces in cookie names are replaced with underscores.

PHP sessions:

PHP has built-in support for short-term persistent "session" variables stored in the $_SESSION super-global. Sessions are cached on the server in local files (e.g. /var/lib/php/sess*)

Sessions are identified by the PHPSESSID cookie (name defined in the php.ini config file.)

session_start();

Starts a new PHP session or re-establishes a current session. Must be the very first thing in your document before any HTML output (this is because the cookies must be set (emitted in the HTTP header) before HTML output begins.) Creates or retrieves the sessions cookie (PHPSESSID) to identify the session and setups or loads the session cache file.

Session variables are then set/retrieved via the $_SESSION super-global.

session_unset();

Removes all the session variables.

session_destroy();

Destroys the session, i.e. removes the session cookie, and session cache.

Fairly easy to use, downside is they are not usually persistent over long periods. The CS servers default is 24 minutes until a session is considered garbage and may be cleaned up by the garbage collector.

Forcing HTTPS via .htaccess:

.htaccess in apache to re-write the URL to make sure that HTTPS is enabled:

# Turns on the URL re-writing engine in apache:
RewriteEngine   on

# The condition that if true causes the following rule to run:
RewriteCond     %{HTTPS} off

# The URL re-writing rule:
# (.*) matches the entire original URL, then re-written as the URL that follows:
RewriteRule     (.*) https://%{HTTP_HOST}%{REQUEST_URI}