Solved

Parsing a login box for info

Posted on 1998-07-29
6
183 Views
Last Modified: 2013-12-25
I need to get the login/password information from the login/password dialog box, so I can match that information with a password file.

Now, I know that you can get the login from the REMOTE_USER variable, but I 'm pretty sure you can't get the password. Or can you?

I'm using NT, thus I can't use .htaccess to verify the password. Verifying the login alone isn't enough. Oh yeah, and I have to use the login box rather than form-based authentication - which would make this a lot simpler.

I don't even really need to know the EXACT password - maybe I could even use the encrypted version to match the encrypted version that is stored in the password file. I just need to finds a way to extract that info from the browser.

So, is there any way to get that info? I'll definitely bump up the value of this question if it proves to be harder than I thought.
0
Comment
Question by:plavers
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:alamo
ID: 1831276
When you have security set up on NT so that only certain users can access your CGI script, the server automatically causes the browser to pop up the login box, and then validates the login and password. The script sees REMOTE_USER but not the password.

If that's how your system is set up, then why do you need the password?

If not - are you saying you want to turn security off at the server level, cause the login box to popup within your CGI, and interpret the username-password yourself? In some cases this is possible due to loopholes in IIS, but it's a very shaky way to build a site and won't necessarily always work.

And why can't form-based authentification work for you?
0
 

Author Comment

by:plavers
ID: 1831277
I can't let unknown web clients becomne members of our NT network, and I can't use form based authentication, and I can't use ASP. It's a long story, but those are the rules.

I know how to reliably prompt the login bog, so... how do I verify the password?
0
 

Author Comment

by:plavers
ID: 1831278
I can't let unknown web clients becomne members of our NT network, and I can't use form based authentication, and I can't use ASP. It's a long story, but those are the rules.

I know how to reliably prompt the login bog, so... how do I verify the password?
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 28

Expert Comment

by:sybe
ID: 1831279
I don't think you can get the password information. For obvious security reasons. If I would build an intranet site in my company which needs an NT login, I would be able to catch all username/password combinations. This is not necessary and not desired. It is for a reason that everyone has his own username/password, so that everyone has his own rights & responsibilities.

It IS enough to verify the username only, because you can only login with that username if you have the right password. There is no need to check the password, NT does it for you.

0
 

Author Comment

by:plavers
ID: 1831280
That's pretty much what I figured. So, am I screwed?

It seems like there would be a way. After all, while I agree that there is an inherent security breach, the passwords could only be revealed to people (administrators) who have pretty broad permissions anyway. On second thought, I guess you are right.

Either way, I guess I am going to have to convince people to go with the form-based authentication, unless you can think of another workaround.
0
 
LVL 28

Accepted Solution

by:
sybe earned 80 total points
ID: 1831281
The NT authentication is really secure enough to use in ASP. You can ask for LOGON_USER to find out with what NT username the person is logged on. This is just as secure as NT login.

All you need is a database of users and their NT-username. I have made applications based on this.
You must beware though where you check for LOGON_USER, if people can update information, check right before you update a database (checking before you show the form is not enough, that is easy to  hack).


If you want to switch to form-based authentication, then look at
http://www.experts-exchange.com/Q.10067096, I am answering a question about that there.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Making a simple AJAX shopping cart Couple years ago I made my first shopping cart, I used iframe and JavaScript, it was very good at that time, there were no sessions or AJAX, I used cookies on clients machine. Today we have more advanced techno…
This article will show, step by step, how to integrate R code into a R Sweave document
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question