Parsing a login box for info

I need to get the login/password information from the login/password dialog box, so I can match that information with a password file.

Now, I know that you can get the login from the REMOTE_USER variable, but I 'm pretty sure you can't get the password. Or can you?

I'm using NT, thus I can't use .htaccess to verify the password. Verifying the login alone isn't enough. Oh yeah, and I have to use the login box rather than form-based authentication - which would make this a lot simpler.

I don't even really need to know the EXACT password - maybe I could even use the encrypted version to match the encrypted version that is stored in the password file. I just need to finds a way to extract that info from the browser.

So, is there any way to get that info? I'll definitely bump up the value of this question if it proves to be harder than I thought.
plaversAsked:
Who is Participating?
 
sybeCommented:
The NT authentication is really secure enough to use in ASP. You can ask for LOGON_USER to find out with what NT username the person is logged on. This is just as secure as NT login.

All you need is a database of users and their NT-username. I have made applications based on this.
You must beware though where you check for LOGON_USER, if people can update information, check right before you update a database (checking before you show the form is not enough, that is easy to  hack).


If you want to switch to form-based authentication, then look at
http://www.experts-exchange.com/Q.10067096, I am answering a question about that there.
0
 
alamoCommented:
When you have security set up on NT so that only certain users can access your CGI script, the server automatically causes the browser to pop up the login box, and then validates the login and password. The script sees REMOTE_USER but not the password.

If that's how your system is set up, then why do you need the password?

If not - are you saying you want to turn security off at the server level, cause the login box to popup within your CGI, and interpret the username-password yourself? In some cases this is possible due to loopholes in IIS, but it's a very shaky way to build a site and won't necessarily always work.

And why can't form-based authentification work for you?
0
 
plaversAuthor Commented:
I can't let unknown web clients becomne members of our NT network, and I can't use form based authentication, and I can't use ASP. It's a long story, but those are the rules.

I know how to reliably prompt the login bog, so... how do I verify the password?
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
plaversAuthor Commented:
I can't let unknown web clients becomne members of our NT network, and I can't use form based authentication, and I can't use ASP. It's a long story, but those are the rules.

I know how to reliably prompt the login bog, so... how do I verify the password?
0
 
sybeCommented:
I don't think you can get the password information. For obvious security reasons. If I would build an intranet site in my company which needs an NT login, I would be able to catch all username/password combinations. This is not necessary and not desired. It is for a reason that everyone has his own username/password, so that everyone has his own rights & responsibilities.

It IS enough to verify the username only, because you can only login with that username if you have the right password. There is no need to check the password, NT does it for you.

0
 
plaversAuthor Commented:
That's pretty much what I figured. So, am I screwed?

It seems like there would be a way. After all, while I agree that there is an inherent security breach, the passwords could only be revealed to people (administrators) who have pretty broad permissions anyway. On second thought, I guess you are right.

Either way, I guess I am going to have to convince people to go with the form-based authentication, unless you can think of another workaround.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.