1

Possible Duplicate:
How to use Basic Auth and Jquery and Ajax

I want to use basic authentication via AJAX to a REST service. The authentication header is not my problem. My problem is how do I go about storing and retrieving the credentials that will be used in the basic authentication.

Should I be storing the username and password in a cookie when they first log in? I want the user to be able to login to the website. And once they are logged in, their web browser will download the page contents via AJAX with basic authentication from a REST service that contains their data.

I think there must be some standard way to do this. But I am having a hard time figuring out what it is.

Thanks!

Community
  • 1
  • 1
w.donahue
  • 10,790
  • 13
  • 56
  • 78
  • For the record this is NOT a duplicate of the question that some of you submitted. If you took the time to actually read and understand a question before you mark it as a duplicate it would be appreciated. This is not the first time my NON DUPLICATE questions have been marked duplicate. – w.donahue Jan 20 '12 at 23:00

1 Answers1

2

I marked the question as a dupe after I figured out exactly what was being asked.

Here's an answer about how you'd roll your own Auth system, which is originally what I thought your question was about :)

If your site is visible on the Internet, HTTP Basic Auth alone will not secure your content.

Sending the username and password to the server

You shouldn't store the username and password anywhere but inside your DB. The password should never be stored in plain text. It should be hashed, using a Salt.

When you authenticate, hash the password with the same Salt, and verify that the resulting hashes are the same.

You could also consider a pre-hash of the password (in addition to the server-side hash) so the plain-text password is never sent over the wire.

Session cookie instead of username/password with each request

Authenticate with the username and password only once, and return a session cookie to the user.

This cookie should be used to look up which user owns the session, and when they authenticated (so the session can expire). If they've got a valid cookie that matches up to an unexpired session, you can consider them authenticated.

Security issues

The remaining problems with this scheme are that it is still going to be prone to a replay attack or a man-in-the-middle attack.

You could mitigate some of this by only allowing authenticated sessions to access your site through SSL.

Another thing that could help (though not completely solve the problem) is store the IP the auth request came from in the session data, and make sure it is the same IP with each request.

If you can, I'd suggest you reuse an existing authentication system rather than rolling your own. It is a little complicated (and prone to problems), and other people have already thought through the details. I'm sure there are details I'm missing, too.

Community
  • 1
  • 1
Merlyn Morgan-Graham
  • 58,163
  • 16
  • 128
  • 183
  • So does that mean this can't be done? I don't have access to the REST servers implementation. I want users web browsers to be able to query it for information but to do that it requires Basic Authentication. – w.donahue Dec 24 '11 at 04:49
  • @metalideath: [HTTP Basic Authentication](http://en.wikipedia.org/wiki/Basic_access_authentication) is not secure. You'll have to wrap your whole site (including the login) with SSL in order to make it secure. Or don't worry about that if you're making an Intranet-only application, your Intranet is already secured, and the damage posed by unauthorized access is minimal. – Merlyn Morgan-Graham Dec 24 '11 at 04:52
  • @metalideath: According to that wiki article, Basic Auth is sent in HTTP headers - it doesn't mention cookies. The server should already handle some portion of the auth for you if you're using it correctly, so you shouldn't have to do much extra to support Basic Auth. When you want to find out who is accessing the site simply read the auth header, and Base64 decode it. When you call the server (AJAX etc), make sure you pass that auth info in the HTTP header. See this question - http://stackoverflow.com/questions/5507234/how-to-use-basic-auth-and-jquery-and-ajax – Merlyn Morgan-Graham Dec 24 '11 at 04:54
  • Thanks for the help but I don't think you understand the question I am asking. – w.donahue Dec 24 '11 at 05:18
  • @metalideath: No problem, gave it a shot :) I'm sure you'll get more responses. – Merlyn Morgan-Graham Dec 24 '11 at 06:23
  • Thank you very much I do appreciate it. I don't think I am asking the question the right way. Web programming is very new to me. – w.donahue Dec 24 '11 at 06:26