Solved

Parsing a login box for info

Posted on 1998-07-29
6
181 Views
Last Modified: 2013-12-25
I need to get the login/password information from the login/password dialog box, so I can match that information with a password file.

Now, I know that you can get the login from the REMOTE_USER variable, but I 'm pretty sure you can't get the password. Or can you?

I'm using NT, thus I can't use .htaccess to verify the password. Verifying the login alone isn't enough. Oh yeah, and I have to use the login box rather than form-based authentication - which would make this a lot simpler.

I don't even really need to know the EXACT password - maybe I could even use the encrypted version to match the encrypted version that is stored in the password file. I just need to finds a way to extract that info from the browser.

So, is there any way to get that info? I'll definitely bump up the value of this question if it proves to be harder than I thought.
0
Comment
Question by:plavers
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:alamo
ID: 1831276
When you have security set up on NT so that only certain users can access your CGI script, the server automatically causes the browser to pop up the login box, and then validates the login and password. The script sees REMOTE_USER but not the password.

If that's how your system is set up, then why do you need the password?

If not - are you saying you want to turn security off at the server level, cause the login box to popup within your CGI, and interpret the username-password yourself? In some cases this is possible due to loopholes in IIS, but it's a very shaky way to build a site and won't necessarily always work.

And why can't form-based authentification work for you?
0
 

Author Comment

by:plavers
ID: 1831277
I can't let unknown web clients becomne members of our NT network, and I can't use form based authentication, and I can't use ASP. It's a long story, but those are the rules.

I know how to reliably prompt the login bog, so... how do I verify the password?
0
 

Author Comment

by:plavers
ID: 1831278
I can't let unknown web clients becomne members of our NT network, and I can't use form based authentication, and I can't use ASP. It's a long story, but those are the rules.

I know how to reliably prompt the login bog, so... how do I verify the password?
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 28

Expert Comment

by:sybe
ID: 1831279
I don't think you can get the password information. For obvious security reasons. If I would build an intranet site in my company which needs an NT login, I would be able to catch all username/password combinations. This is not necessary and not desired. It is for a reason that everyone has his own username/password, so that everyone has his own rights & responsibilities.

It IS enough to verify the username only, because you can only login with that username if you have the right password. There is no need to check the password, NT does it for you.

0
 

Author Comment

by:plavers
ID: 1831280
That's pretty much what I figured. So, am I screwed?

It seems like there would be a way. After all, while I agree that there is an inherent security breach, the passwords could only be revealed to people (administrators) who have pretty broad permissions anyway. On second thought, I guess you are right.

Either way, I guess I am going to have to convince people to go with the form-based authentication, unless you can think of another workaround.
0
 
LVL 28

Accepted Solution

by:
sybe earned 80 total points
ID: 1831281
The NT authentication is really secure enough to use in ASP. You can ask for LOGON_USER to find out with what NT username the person is logged on. This is just as secure as NT login.

All you need is a database of users and their NT-username. I have made applications based on this.
You must beware though where you check for LOGON_USER, if people can update information, check right before you update a database (checking before you show the form is not enough, that is easy to  hack).


If you want to switch to form-based authentication, then look at
http://www.experts-exchange.com/Q.10067096, I am answering a question about that there.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will focus on how to use WhizBase as a tool for sending ICQ messages to ICQ. Here I will use a new technology in WhizBase, published in WhizBase 5.1 version. In this tutorial I will use 3 files, pager.wbsp for the processing, e…
This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
Learn the basics of strings in Python: declaration, operations, indices, and slicing. Strings are declared with quotations; for example: s = "string": Strings are immutable.: Strings may be concatenated or multiplied using the addition and multiplic…
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now