Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Aurora Morgan
Preta Light Industries
|
Posted - 2010.02.07 23:38:00 -
[1]
The IGB doesn't seem to support authentication via http, I have found notes that it should work when passed inside the URL. But I can't seem to get it to work (The http-auth headers never gets sent, but it doesn't give an error in url parsing either).
Is this something fail on my part, or is it a known problem? <3
|
Catari Taga
Centre Of Attention Rough Necks
|
Posted - 2010.02.08 00:39:00 -
[2]
Edited by: Catari Taga on 08/02/2010 00:39:29
Originally by: Aurora Morgan Is this something fail on my part, or is it a known problem? <3
Since it works for me the fail must be on your part.
http://username:password@URI
|
Mograph
Caldari Starscream Industries IDLE EMPIRE
|
Posted - 2010.02.08 17:04:00 -
[3]
what is it you are trying to authenticate exactly? The eve browser sends several HTTP headers.
it will always saend the HTTP_TRUST header but will either be yes or no, you can use this header to authenticate if the browser is being used or not.
or you can use the HTTP_USER_AGENT http header to check if "EVE-IGB" is being sent.
and if you are reading this you have reached the signature without noticing. |
Catari Taga
Centre Of Attention Rough Necks
|
Posted - 2010.02.08 17:30:00 -
[4]
Originally by: Mograph what is it you are trying to authenticate exactly? The eve browser sends several HTTP headers.
it will always saend the HTTP_TRUST header but will either be yes or no, you can use this header to authenticate if the browser is being used or not.
or you can use the HTTP_USER_AGENT http header to check if "EVE-IGB" is being sent.
he asked about this: http://en.wikipedia.org/wiki/Basic_access_authentication
|
darius mclever
|
Posted - 2010.02.08 18:18:00 -
[5]
well passing the basic auth in the url works but i still thinks he meant a popup asking for username and password.
trusting the trust header is like trusting a goon in jita, who tries to recruit you.
|
ddooxx
|
Posted - 2010.02.09 02:09:00 -
[6]
Originally by: darius mclever well passing the basic auth in the url works but i still thinks he meant a popup asking for username and password.
With password in URI, the userid and password are in the clear (unencrypted) for any sniffer. Plus, since they are part of the URI, they will be stored in any proxy server/cache you are using. This was a option last millennium but I would think that sort of thing should be avoided these days. |
Catari Taga
Centre Of Attention Rough Necks
|
Posted - 2010.02.09 03:25:00 -
[7]
Edited by: Catari Taga on 09/02/2010 03:26:57
Originally by: ddooxx
Originally by: darius mclever well passing the basic auth in the url works but i still thinks he meant a popup asking for username and password.
With password in URI, the userid and password are in the clear (unencrypted) for any sniffer.
With password entered into the popup of a browser they are equally in the clear (unless you use https).
On the other hand, if you are worried about people reading your network traffic you shouldn't be putting sensitive information into a video game browser anyway, so in my opinion the point is moot.
|
Aurora Morgan
Preta Light Industries
|
Posted - 2010.02.17 23:17:00 -
[8]
All traffic over http is in the clear for sniffers, even http-digest etc.
And no, it does not seem to currently work to put the password in the uri. I asked some people to try it, and it does not seem to work. As I said, with a network sniffer I can clearly see that it does not send the authentication part.
So I implemented a simple form instead, and yes, it is still sniffable. And yes, this is just internet spaceships. So it doesn't really matter.
|
Catari Taga
Centre Of Attention Rough Necks
|
Posted - 2010.02.17 23:52:00 -
[9]
Originally by: Aurora Morgan And no, it does not seem to currently work to put the password in the uri.
I just tried, works here.
|
Leebe
|
Posted - 2010.02.20 14:33:00 -
[10]
you could add some javascript to your form combined with some logic on your server to encrypt the password for the network transfer ;)
|
|
Catari Taga
Centre Of Attention Rough Necks
|
Posted - 2010.02.20 17:22:00 -
[11]
Edited by: Catari Taga on 20/02/2010 17:22:13
Originally by: Leebe you could add some javascript to your form combined with some logic on your server to encrypt the password for the network transfer ;)
That's a bit pointless though?
First of all that would need to be some PKI style algorithm because your attacker will have access to your client side code too, and you'd better salt it with a timestamp or he'll simply replay it on your server.
Even if you do that your network traffic is still in the clear though so he'll be able to read your website in the clear anyway and in addition hijack your session to browse your site himself.
Thus your entire connection needs to stay encrypted anyway, i.e. SSL/TLS, at which point your additional password encryption is redundant. Of course, the theoretical man in the middle having access to your network traffic could simply present you with a faked login page or similar.
|
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |