Is there any way (apart from HTTP authentication, which I gather is inherently insecure over the Internet?) for a "real life" website to handle logins and authentication rather than the traditional way, using session cookies?
Correction: HTTP auth when using HTTPS is as secure as the SSL session.
Randolpho
2009-04-03 17:23:00
You can't implement logout functionality in Basic Auth, that's pretty rubbish :)
dr. evil
2009-04-03 18:09:26
For firefox, see these bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=55181 and https://bugzilla.mozilla.org/show_bug.cgi?id=287957 . But yes, I agree.
sharth
2009-04-03 20:25:55
+1
A:
HTTP basic authentication is perfectly safe when used with a SSL (https://) website since all HTTP traffic including the credentials will be encrypted. One subjective drawback though is when using this method your users will need to interact with their browser's authentication popup in order to log in to your site.
Adam Alexander
2009-04-03 17:14:52
So presumably major websites don't use HTTP auth because SSL is rather resource intensive at both ends? Why would the user being able to interact with the authentication popup be a problem? If they had a disability would they not already have mechanisms in place to overcome this problem?
Jonathan Ford
2009-04-03 17:23:13
Without SSL, any form of web authentication is less secure so the decision has more to do with the level of security needed at login and less to do with what type of authentication is in use. The browser popup concern is mostly about site design as it can look out of place and be jarring to users
Adam Alexander
2009-04-03 17:36:02
A:
To be clear, the only REAL way to do this is through HTTPS.
But, since I assume this is not an option, and I also assume you are looking for a "fully managed login" system, I continue:
Other than HTTPS it is possible to use JavaScript to do secure hashing of passwords on the client side, to prevent revealing plain text passwords over-the-wire, but this is only a half-solution.
The problems with this approach are:
- A replay attack is still a viable option.
- Only users with JavaScript enabled would be able to auth in this way.
Another approach is a more complicated challenge / response mechanism:
- Send a "Challenge" along with the login page.
- Calculate the hash of the Password + Challenge client side.
- Submit the login.
- Calculate the hash of the Password + Challenge (which MUST NOT be trusted in the page request) on the server side, and compare.
And the problems with that:
- Only users with JavaScript enabled would be able to auth in this way.
- The PLAINTEXT password must be stored on the server to validate the challenge response, and must be encrypted on disk or otherwise protected.
Now, to be fair, problem #2 is not as big of a danger as it sounds. In fact when you instead use HASH authentication, the hash itself is raised to the level of "key".
At this point it is fairly secure to use a cookie to store a randomly generated login ReferrenceID, similar to their session ID, but the server may want to encrypt using the referring IP as part of the IV or KEY to prevent other users from Hijacking the ReferrenceID.
Anyways, I hope that provides a little bit of direction in the way of your design.
John Gietzen
2009-04-03 18:07:58
A:
Using SSL for encryption in combination with HttpOnly Cookies to help prevent XSS is your best bet for using cookies. I'm not going to say it is bullet-proof, though.
Josh Stodola
2009-04-03 18:09:12
but it's still exploitable with an interactive XSS channel. Take a look at BeeF, BrowserRaider, XSS Shell and XSS Tunnelling
dr. evil
2009-04-03 18:12:29
A:
Firstly, HTTP Auth is secure over SSL other than the fact that you can't implement a true "Logout" functionality. User need to close their browser, which is pretty bad.
Secondly, It you need to use HTTPS in all cases to make it secure, after that you got Basic Auth similar stuff such as "Digest" and "NTLM Auth".
dr. evil
2009-04-03 18:11:30
+3
A:
HTTP digest authentication (which is quite a different beast from HTTP basic authentication) is quite secure over straight HTTP, and not at all difficult to implement on the server. Nothing is sent over the wire that could reveal what the password is, just information that allows the client to demonstrate to the server that they have the correct password.
If you want a decent explanation of how to implement HTTP digest authentication in your application, Paul James has an excellent article on it.
The only real problem with HTTP authentication is in the browsers themselves: the UI is terrible, but that can be overcome with some Javascript.
Keith Gaughan
2009-04-03 18:14:26