[2657] in WWW Security List Archive
Combining authentications
daemon@ATHENA.MIT.EDU (Romy Varga)
Fri Aug 16 16:21:18 1996
Date: Fri, 16 Aug 1996 14:11:46 -0400
From: Romy Varga <vargar@cognos.com>
Reply-To: vargar@cognos.com
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I'd like to ask for some of your ideas on the following situation,
regarding a custom authentication web page and an access controlled area
on a webserver.
We currently have a set of html pages on a webserver (running Netscape
Enterprise Server) that authenticates users by connecting to and
checking in an ever-changing Oracle database to see if access should be
denied or allowed. (Converting and importing this database to be used
by the server's access control mechanism is not suitable for various
reasons, so we would like to avoid this route.)
Then we would like these scripts to redirect the user (in case access
should be allowed) to an area of the server that is protected by the
server's own access control mechanism (this is to avoid someone
bookmarking a subsequent URL, and jumping right there next time,
skipping our authentication).
However, we would like this area to be protected by only one username
and password, and have our scripts pass on the username and password to
the server to let the client access pages in that area, but without this
information (username and password) be ever shown to the user.
Do you have any suggestion on how the username and password could be
passed on from a script to the Enterprise server (I assume in the form
of some variables) so that the client does not see them?
Also, can you find some places in such a setup that one might use to
expoit and bypass our authentication, but still have access to the
protected area? (assuming that the username and password used on the
webserver to protect a given directory can be passed on to the server
from a script without the user ever seeing it.)
Thanks for your thoughts in advance.
Romy Varga
Cognos Inc.
