httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James G Smith <>
Subject Re: user authentication "best practices"
Date Fri, 17 Mar 2000 22:44:57 GMT wrote:
>What I've seen so far only discusses security over the Web, but 
>not the server itself. For example what happens if I go to great 
>lengths to protect my site over the Web (e.g. use digest passwords 
>over SSL along with client certificates), but then leave the directory 
>open on the server so that any user can read the data in it & I 
>expose that directory via FTP. Or the ramifications of allowing CGI 
>access on a server. 

If you're using digest over SSL, I would prefer Basic over SSL.  The
reason is that with Basic auth, I can encrypt the passwords on the
server.  With digest authentication, the server must know the
unencrypted md5 hash of the password, realm, and username, as does
the browser.  In fact, all the browser must know is the md5 hash
of those values.  This is discussed in Section 4.13 of RFC 2617
(pg. 26).  With SSL, the password is protected anyway, so digest
doesn't gain a sufficient security advantage over encrypting the
passwords on the server, imho.

>We must also keep in mind that some choices (e.g. storing id and 
>password in a cookie) might be done for a particular reason (e.g. 
>so that you can set timeouts on an account, something that you 
>can't easily do via BASIC authentication) and that you can other 
>things to protect the cookie in a setting like this (e.g. 3DES 
>encrypt it & set the cookie to expire when the browser closes). 

I know this is getting into details, but...

Keep in mind that you can't rely on the behavior of anything not
under your direct control.  Don't assume the browsers will respect
the cookie timeout as such -- it can only be considered advisory at
best.  I would prefer to see a session id with the login state
maintained on the server so timeouts can be more easily enforced.
Then setting the session id cookie expiration to be when the
browser closes will have a similar effect and be slightly more
James Smith - |

View raw message