.NET ServerVariables("AUTH_USER") and a non ASP page

Question

I'm going to be running a node.js server in a Windows environment (via Cygwin) on an internal network that needs access to the Windows login information of the client. The best method I've come up with is to have an iFrame with an ASP page that just does

Response.Write(Request.ServerVariables("AUTH_USER"))

Then, get the contents of the iFrame on load and store it in Javascript. It should contain something like "MANAGER/HisLogin", and I can store that variable. I could possibly sha1/salt it for security purposes.

Couple questions:

1. Are there any inherent security risks in doing something like this? IIS and Node.js will be running on the same server, but different ports. If required I could make IIS listen to localhost only.

2. Is there a better route rather than having the iFrame contents picked up by Javascript and relied upon? I realize the client can change the contents of the iFrame and the Javascript variable, but the contents are only read once and I could create a self-destructing function in a Javascript closure that is called upon iFrame load, something like:

Example:

var login = function() {
    var loginInfo = null;
    return {
        init: function(theLogin) {
            loginInfo = theLogin;
            this.init() = function() {};
        },
        getLogin: function() {
            return loginInfo;
        }
    };
}();

This is the header node.js is reporting

headers: {
    host: '/*Removed*/',
    connection: 'keep-alive',
    accept: 'application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
    'user-agent': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7',
    'accept-encoding': 'gzip,deflate,sdch',
    'accept-language': 'en-US,en;q=0.8',
    'accept-charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.3',
    cookie: 'socketio=websocket'
},

Edit 2

Another alternative that I thought of was to post the results from the iFrame loading the page instead of Response.Write. I'd have to find a way to correlate the message to eachother.

Answer 1

As long as you working in a company intranet or internal network and security on the browser allows it. This may work using JavaScript

var wshshell=new ActiveXObject("wscript.shell"); 
var username=wshshell.ExpandEnvironmentStrings("%username%"); 

Answer 2

What authentication method are you using? If you are using basic authentication, then your server-side javascript should be able to read the user ID out of the authentication HTTP request header. It will be in a base64 encoded string.

Edit: This question has code that shows how to use node.js to read the basic authentication headers.

Answer 3

Answer for : Edit 2

You could probably use postMessage API to communicate across frames. If you are looking for something that works cross browser, check out Google Closure Library -> CrossPageChannel.

Here you'll find a demo: http://closure-library.googlecode.com/svn/trunk/closure/goog/demos/xpc/index.html

and the docs: http://closure-library.googlecode.com/svn/docs/class_goog_net_xpc_CrossPageChannel.html

I'm going to be running a node.js server in a Windows environment (via Cygwin) on an internal network that needs access to the Windows login information of the client.

I doubt if Request.ServerVariables("AUTH_USER") is available to Javascript as it is Windows specific (nothing to do with Authorization headers), which if I have understood correctly, returns the currently logged in Windows User.

The best way to resolve this issue is to use postMessage. You should sha2(don't sha1) and salt the password for added security.