Testing HTTP Authorisation

[BenMillard]

I have created an example of HTTP Authorisation and would like its security to be tested. The example page has two links, which require different login information. The login information is supplied so you can check it works before trying to hack in. When you supply valid login information, your details are remembered by the server for until you have been inactive for an hour, I think.

 

I'd also like to know whether people find this system easy to use, general views on it, any experience of implementing it on other sites, etc.

 

Are there any accessibility problems with this sort of system? Since it is part of the HTTP specification, I assume it will be supported by any Web device?

 

(EDIT) When using the system in Lynx, it attempts to follow the link normally. This fails and it provides a message saying that authorisation is required. It then uses the bottom of the screen to input your login details:

812 x 738, 54.4kB.

 

After entering the name, it used the bottom of the screen to prompt for the password. I entered this, then it displayed an error about an invalid server write or something along those lines and returned focus to the link on the page. I tried following the link again and it worked:

812 x 738, 27.7kB.

 

This has made me a little worried...perhaps other devices would struggle with this system?

 

(EDIT2) Here is the error message:

812 x 738, 54.2kB.

 

It says:

"Alert! Unexpected network read error; connection aborted."

 

Is this a problem with my configuration or with the browser?

Edited November 14, 2005 by Cerbera

[TheJkWhoSaysNi]

Your page doesn't display correctly because it's invalid and you're serving it as application/xhtml+xml. You seem to have two lots of everything above the <body> tag.

[BenMillard]

Ah, I'd forgotten to update my test pages to work correctly with the PHP I've been trying out. Should be fixed now.

[TheJkWhoSaysNi]

Looks pretty secure, although i'm nowhere near an expert at this kind of thing.

 

You can keep the .htpasswd file in the same directory as .htaccess since you can't view it without logging in anyway. (and i believe apache disables access to .files although i may be wrong.) If you can access .htpasswd the only real security problem is being able to see other peoples passwords. Keeping it in an inaccessible directory is definatly best though.

 

 

as for the problem it seems like a browser issue to me.

Edited December 16, 2005 by TheJkWhoSaysNi

[Jack_Knife]

Looks pretty secure, although i'm nowhere near an expert at this kind of thing.

 

You can keep the .htpasswd file in the same directory as .htaccess since you can't view it without logging in anyway. (and i believe apache disables access to .files although i may be wrong.) If you can access .htpasswd the only real security problem is being able to see other peoples passwords. Keeping it in an inaccessible directory is definatly best though.

 

 

as for the problem it seems like a browser issue to me.

By default Apache blocks access to .htaccess and .htpasswd, I believe. It also doesn't list them in directory listings.

 

And even if you can access the .htpasswd file, I would assume Cerb is keeping the passwords in there encrypted.