Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Parsing a login box for info

Posted on 1998-07-29
6
Medium Priority
?
189 Views
Last Modified: 2013-12-25
I need to get the login/password information from the login/password dialog box, so I can match that information with a password file.

Now, I know that you can get the login from the REMOTE_USER variable, but I 'm pretty sure you can't get the password. Or can you?

I'm using NT, thus I can't use .htaccess to verify the password. Verifying the login alone isn't enough. Oh yeah, and I have to use the login box rather than form-based authentication - which would make this a lot simpler.

I don't even really need to know the EXACT password - maybe I could even use the encrypted version to match the encrypted version that is stored in the password file. I just need to finds a way to extract that info from the browser.

So, is there any way to get that info? I'll definitely bump up the value of this question if it proves to be harder than I thought.
0
Comment
Question by:plavers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:alamo
ID: 1831276
When you have security set up on NT so that only certain users can access your CGI script, the server automatically causes the browser to pop up the login box, and then validates the login and password. The script sees REMOTE_USER but not the password.

If that's how your system is set up, then why do you need the password?

If not - are you saying you want to turn security off at the server level, cause the login box to popup within your CGI, and interpret the username-password yourself? In some cases this is possible due to loopholes in IIS, but it's a very shaky way to build a site and won't necessarily always work.

And why can't form-based authentification work for you?
0
 

Author Comment

by:plavers
ID: 1831277
I can't let unknown web clients becomne members of our NT network, and I can't use form based authentication, and I can't use ASP. It's a long story, but those are the rules.

I know how to reliably prompt the login bog, so... how do I verify the password?
0
 

Author Comment

by:plavers
ID: 1831278
I can't let unknown web clients becomne members of our NT network, and I can't use form based authentication, and I can't use ASP. It's a long story, but those are the rules.

I know how to reliably prompt the login bog, so... how do I verify the password?
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 28

Expert Comment

by:sybe
ID: 1831279
I don't think you can get the password information. For obvious security reasons. If I would build an intranet site in my company which needs an NT login, I would be able to catch all username/password combinations. This is not necessary and not desired. It is for a reason that everyone has his own username/password, so that everyone has his own rights & responsibilities.

It IS enough to verify the username only, because you can only login with that username if you have the right password. There is no need to check the password, NT does it for you.

0
 

Author Comment

by:plavers
ID: 1831280
That's pretty much what I figured. So, am I screwed?

It seems like there would be a way. After all, while I agree that there is an inherent security breach, the passwords could only be revealed to people (administrators) who have pretty broad permissions anyway. On second thought, I guess you are right.

Either way, I guess I am going to have to convince people to go with the form-based authentication, unless you can think of another workaround.
0
 
LVL 28

Accepted Solution

by:
sybe earned 80 total points
ID: 1831281
The NT authentication is really secure enough to use in ASP. You can ask for LOGON_USER to find out with what NT username the person is logged on. This is just as secure as NT login.

All you need is a database of users and their NT-username. I have made applications based on this.
You must beware though where you check for LOGON_USER, if people can update information, check right before you update a database (checking before you show the form is not enough, that is easy to  hack).


If you want to switch to form-based authentication, then look at
http://www.experts-exchange.com/Q.10067096, I am answering a question about that there.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will focus on how to use WhizBase as a tool for sending ICQ messages to ICQ. Here I will use a new technology in WhizBase, published in WhizBase 5.1 version. In this tutorial I will use 3 files, pager.wbsp for the processing, e…
This article will show, step by step, how to integrate R code into a R Sweave document
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question