At the moment the only way to pass authentication information to TWiki when TemplateLogin
is in use is via the username and password parameters. This is insecure, and rather hard to code for when writing, for example, REST handlers.
HTTP has a standard header,
, that is used to pass auth information to the server when ApacheLogin
is in use. IMHO there's no reason not to use this for TemplateLogin
as well, but with the big difference of course that the header needs to be explicitly included in the request, rather than appearing automagically.
I'm setting this to Urgent because I feel it really needs to be done sooner rather than later.
- 19 Jul 2007
"Urgent" would block a release, and for a pretty long time in this case, as far as I can tell.
header is supplied by browsers, after they have acquired the appropriate credentials, for example a user id and a password. As far as I can tell, there's no chance to convince browsers to create this header from something as simple as a TemplateLogin HTML form.
Browsers usually ask for a user id and password if they receive a 401 status code accompanied by a
header, which you can both send from a CGI script. But if they do, they are using their own forms. All you can provide from your CGI is a
string which can the user what his user id will be used for. So there's no chance that this will look like a TemplateLogin.
Username and password aren't really more secure when used in the
header as compared to form parameters of a
request. Both needs to be used with
if you are serious about security.
So I'm setting this to "Enhancement".
- 20 Jul 2007