issuhub.com

AJAX - The Complete Reference

(avery) #1

PART II


Chapter 7: Security Concerns 307


First, the script checks to see if PHP_AUTH_USER or PHP_AUTH_PW are set. If they

are not, an initial 401 Authentication required challenge is sent back. Next, it checks to

see if the PHP_AUTH_USER and PHP_AUTH_PW are set correctly. If so, access is granted.

Otherwise, another 401 is issued. After access is granted, the Authorization header will

be created and then the user can be redirected or provided a link to access the password-

protected area. Since the proper header exists, it will not prompt for credentials. You can

see the successful use of this approach in some popular browsers but not in others, as some

browsers will still throw their own login, particularly in the negative case. Further, an

automatic redirect may also throw a dialog in some situations. If this doesn’t dissuade you

from using basic authentication, the next section may.

In the Clear

Assuming the previous method worked as cleanly as it should, the customized display,

ability to control credentials without server-administration, and the lack of not relying on

cookies would make this form of authentication quite attractive. However, there is a huge

negative with basic HTTP Authentication and that is that the username and password are

passed in clear text. Looking at the header, you might think that it does not appear to be in

clear text. However, it is only wrapped in a simple base64 encoding, which is trivial to

break. Take a look at http://ajaxref.com/ch7/decode64.html. The base64 in the box is from

the header of the last example. Simply click Decode to see the username/password, as

shown in Figure 7-6.

To improve the concern of data transmission access, you might consider performing

some encryption in JavaScript and then having the PHP page compare the encrypted

values. In the example at http://ajaxref.com/ch7/authenticationhash.html, a simple md5

hash is used on the user-provided password and then compared to the hash of the expected

password on the server side. This certainly could be used to determine if the passwords

match and then redirect the user to the appropriate area. Interestingly though, the redirection

to a protected area won’t work because after it sets the value of PHP_AUTH_USER to the

FIGURE 7-6 Basic password insecurity
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.