• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item4393: Use HTTP standard Authorization header, instead of username and password parameters

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Enhancement New   n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

At the moment the only way to pass authentication information to TWiki when TemplateLogin is in use is via the username and password parameters. This is insecure, and rather hard to code for when writing, for example, REST handlers.

HTTP has a standard header, Authorization, that is used to pass auth information to the server when ApacheLogin is in use. IMHO there's no reason not to use this for TemplateLogin as well, but with the big difference of course that the header needs to be explicitly included in the request, rather than appearing automagically.

I'm setting this to Urgent because I feel it really needs to be done sooner rather than later.

-- TWiki:Main/CrawfordCurrie - 19 Jul 2007

"Urgent" would block a release, and for a pretty long time in this case, as far as I can tell.

The Authorization header is supplied by browsers, after they have acquired the appropriate credentials, for example a user id and a password. As far as I can tell, there's no chance to convince browsers to create this header from something as simple as a TemplateLogin HTML form.

Browsers usually ask for a user id and password if they receive a 401 status code accompanied by a WWW-Authenticate header, which you can both send from a CGI script. But if they do, they are using their own forms. All you can provide from your CGI is a realm string which can the user what his user id will be used for. So there's no chance that this will look like a TemplateLogin.

Username and password aren't really more secure when used in the Authorization header as compared to form parameters of a POST request. Both needs to be used with HTTPS if you are serious about security.

So I'm setting this to "Enhancement".

-- TWiki:Main.HaraldJoerg - 20 Jul 2007

ItemTemplate
Summary Use HTTP standard Authorization header, instead of username and password parameters
ReportedBy TWiki:Main.CrawfordCurrie
Codebase

SVN Range TWiki-4.1.2, Thu, 19 Jul 2007, build 14438
AppliesTo Engine
Component

Priority Enhancement
CurrentState New
WaitingFor

Checkins

TargetRelease n/a
ReleasedIn

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r2 - 2007-07-20 - TWikiUserMapping_HaraldJoerg
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback