Solved

Parsing a login box for info

Posted on 1998-07-29
6
185 Views
Last Modified: 2013-12-25
I need to get the login/password information from the login/password dialog box, so I can match that information with a password file.

Now, I know that you can get the login from the REMOTE_USER variable, but I 'm pretty sure you can't get the password. Or can you?

I'm using NT, thus I can't use .htaccess to verify the password. Verifying the login alone isn't enough. Oh yeah, and I have to use the login box rather than form-based authentication - which would make this a lot simpler.

I don't even really need to know the EXACT password - maybe I could even use the encrypted version to match the encrypted version that is stored in the password file. I just need to finds a way to extract that info from the browser.

So, is there any way to get that info? I'll definitely bump up the value of this question if it proves to be harder than I thought.
0
Comment
Question by:plavers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:alamo
ID: 1831276
When you have security set up on NT so that only certain users can access your CGI script, the server automatically causes the browser to pop up the login box, and then validates the login and password. The script sees REMOTE_USER but not the password.

If that's how your system is set up, then why do you need the password?

If not - are you saying you want to turn security off at the server level, cause the login box to popup within your CGI, and interpret the username-password yourself? In some cases this is possible due to loopholes in IIS, but it's a very shaky way to build a site and won't necessarily always work.

And why can't form-based authentification work for you?
0
 

Author Comment

by:plavers
ID: 1831277
I can't let unknown web clients becomne members of our NT network, and I can't use form based authentication, and I can't use ASP. It's a long story, but those are the rules.

I know how to reliably prompt the login bog, so... how do I verify the password?
0
 

Author Comment

by:plavers
ID: 1831278
I can't let unknown web clients becomne members of our NT network, and I can't use form based authentication, and I can't use ASP. It's a long story, but those are the rules.

I know how to reliably prompt the login bog, so... how do I verify the password?
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 28

Expert Comment

by:sybe
ID: 1831279
I don't think you can get the password information. For obvious security reasons. If I would build an intranet site in my company which needs an NT login, I would be able to catch all username/password combinations. This is not necessary and not desired. It is for a reason that everyone has his own username/password, so that everyone has his own rights & responsibilities.

It IS enough to verify the username only, because you can only login with that username if you have the right password. There is no need to check the password, NT does it for you.

0
 

Author Comment

by:plavers
ID: 1831280
That's pretty much what I figured. So, am I screwed?

It seems like there would be a way. After all, while I agree that there is an inherent security breach, the passwords could only be revealed to people (administrators) who have pretty broad permissions anyway. On second thought, I guess you are right.

Either way, I guess I am going to have to convince people to go with the form-based authentication, unless you can think of another workaround.
0
 
LVL 28

Accepted Solution

by:
sybe earned 80 total points
ID: 1831281
The NT authentication is really secure enough to use in ASP. You can ask for LOGON_USER to find out with what NT username the person is logged on. This is just as secure as NT login.

All you need is a database of users and their NT-username. I have made applications based on this.
You must beware though where you check for LOGON_USER, if people can update information, check right before you update a database (checking before you show the form is not enough, that is easy to  hack).


If you want to switch to form-based authentication, then look at
http://www.experts-exchange.com/Q.10067096, I am answering a question about that there.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will focus on how to use WhizBase as a tool for sending ICQ messages to ICQ. Here I will use a new technology in WhizBase, published in WhizBase 5.1 version. In this tutorial I will use 3 files, pager.wbsp for the processing, e…
I hope you'll find this tutorial useful and interesting. So let's try to extend Tcl with a new package.  For anyone more deeply interested please check out the book "Practical Programming in Tcl and Tk". It's really one of the best written books abo…
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question