Results 1 to 4 of 4

Thread: HTTP Authentication

  1. #1
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002

    Question HTTP Authentication

    I have a question about http security. Let's say on my webserver I had a directory that I was to issue a username/password to access this directory. But lets say if someone were to telnet to my web server on port 80 of course and issue the command
    Get /protected/directory HTTP/1.1
    Would it display in Mime::Base64 coding , The list of the username/password for this directory ?. Like in the form Basic : erwweDdrerw ==
    My theories on this are a little mixed up..
    Any help would be appreciated..
    "Serenity is not the absence of conflict, but the ability to cope with it."

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    Yes. You will need to send the Basic Authentication header with the username:password base64 encoded. The sever will not send it to you, you will need to send it to the server or you will be denied access.

    Try installing a sniffer on your machine and use your regular browser to connect en enter the password. After that look at the info your sniffer picked up. Should be easy to see how this interaction works (it's all plain text).

    Tip: Ethereal has the ability to show you the entire interaction by clicking on the first (syn) packet to the server and selecting 'Follow tcp stream' (or something similar).
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Oct 2002
    no it wont. The server should in your case return a 403, not authorised code for the page. The passwords for the users are normally held by the operating system, and who is allowed to see what is controled by .htacess file

    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Hopefully the server would as SD says, issue a 403.

    If it's set up properly, a web server will send the same response for any password protected resource, even if it doesn't exist. This means that if they have no permission to it, they can't even guess filenames.

    The web server will *not* send the password back to the browser (encoded or otherwise), that would be silly.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts