July 3rd, 2003, 11:14 AM
I have a question about http security. Let's say on my webserver I had a directory that I was to issue a username/password to access this directory. But lets say if someone were to telnet to my web server on port 80 of course and issue the command
Get /protected/directory HTTP/1.1
Would it display in Mime::Base64 coding , The list of the username/password for this directory ?. Like in the form Basic : erwweDdrerw ==
My theories on this are a little mixed up..
Any help would be appreciated..
"Serenity is not the absence of conflict, but the ability to cope with it."
July 3rd, 2003, 12:28 PM
Yes. You will need to send the Basic Authentication header with the username:password base64 encoded. The sever will not send it to you, you will need to send it to the server or you will be denied access.
Try installing a sniffer on your machine and use your regular browser to connect en enter the password. After that look at the info your sniffer picked up. Should be easy to see how this interaction works (it's all plain text).
Tip: Ethereal has the ability to show you the entire interaction by clicking on the first (syn) packet to the server and selecting 'Follow tcp stream' (or something similar).
Experience is something you don't get until just after you need it.
July 3rd, 2003, 02:59 PM
no it wont. The server should in your case return a 403, not authorised code for the page. The passwords for the users are normally held by the operating system, and who is allowed to see what is controled by .htacess file
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
July 3rd, 2003, 03:02 PM
Hopefully the server would as SD says, issue a 403.
If it's set up properly, a web server will send the same response for any password protected resource, even if it doesn't exist. This means that if they have no permission to it, they can't even guess filenames.
The web server will *not* send the password back to the browser (encoded or otherwise), that would be silly.