[Previous] [Next] [Index]
[Thread]
Re: logins to secure web pages
I'm not on the www-security list, but this message was forwarded
to me, and I'd like to respond. I apologize if the question has already
been answered...
>kwhittle@nebula.tbe.com wrote:
>>
>> Here's a question for you...
>>
>> How can I set up multiple http servers to accept the same username and password
>> information without having to enter it multiple times?
>
>You can't do it with the existing basic authentication scheme since a name/passwd
>pair is corelated to a domain (ie. a directory of a server and the subdirs)
Actually, you CAN do it. I ran in to the same problem that kwhittle describes
and solved it with a Proxy server. (I used Netscape's, but I assume any one
will do.)
The key is that your browser remembers a machine/port/realm combination.
Even if your "application" is distributed across multiple machines, you
can hide them behind a single machine/port by using a proxy. Example:
http://A:1234/myscript.cgi sits in the "myapp" realm
http://B:5678/usefuldata.htm sits in the "myapp" realm
Requesting A prompts the user for a password, and a redirect from A to B will
cause yet another challenge.
Now add a proxy.
http://P:1111/A maps to http://A:1234
http://P:1111/B maps to http://B:5678
The client sends all requests through the proxy, and the redirect is
also through the proxy. From the browser's point of view, all
the action is at the same machine/port/realm combo.
I think the other response about SSL client authentication
wouldn't help in this case.
g' luck
Bret Gorsline
-------------------------------------------------------------
bretg@cc.bellcore.com Bellcore - Software Engineer
-------------------------------------------------------------
------- Forwarded Message
To: bretg@ctt.bellcore.com, sreed@ctt.bellcore.com
From: Anish Bhimani <anish@ctt.bellcore.com>
Subject: Re: logins to secure web pages
Cc: pba@cc.bellcore.com
>From the WWW security list. Gives us a sanity check on Tuesday's discussions.
- - Anish
>Date: Thu, 11 Apr 96 08:47:48 +0200
>From: Holger.Reif@prakinf.tu-ilmenau.de (Holger Reif)
>To: www-security@ns2.rutgers.edu, kwhittle@nebula.tbe.com
>Subject: Re: logins to secure web pages
>Sender: owner-www-security@ns2.Rutgers.EDU
>Errors-To: owner-www-security@ns2.Rutgers.EDU
>
>kwhittle@nebula.tbe.com wrote:
>>
>> Here's a question for you...
>>
>> How can I set up multiple http servers to accept the same username and
password
>> information without having to enter it multiple times?
>
>You can't do it with the existing basic authentication scheme since a
name/passwd
>pair is corelated to a domain (ie. a directory of a server and the subdirs)
>
>> What I would like to do is have the web browser pass the second server
the same
>> username and password it did the first server and have the second server
accept
>> it.
>
>I'm sure you even don't want to do it this kind becasue that way you distribute
>your passwds maybe widely :-)
>
>>
>> I would like to make it so that the user enters their username and password
>> once when they enter the "system" and browse freely from then on.
>> I guess you could liken my goal to logging on to a domain with LAN Server
or LAN
>> Manager and then having whatever resources are assigned to you available
until
>> you log off. How do I do it?
>
>A solution could be client authentication with certificates according netscapes
>SSL protocol. See
>http://www.netscape.com/std/newsref/
>
>But client auth is rarely used today.
>
>> Kerry
>>
>
>
>read you later - Holger Reif
>---------------------------------------- Signaturprojekt Deutsche Einheit
>TU Ilmenau - Informatik - Telematik (Verdamp lang her)
>Holger.Reif@PrakInf.TU-Ilmenau.DE Alt wie ein Baum werden, um ueber
>http://Remus.PrakInf.TU-Ilmenau.DE/Reif/ alle 7 Bruecken gehen zu koennen
>
>
>
------- End of Forwarded Message