Project

General

Profile

[Solved] digest login + session

Added by yurylankovskiy almost 7 years ago

Lighttpd version 1.45
Embedded linux
FastCGI C++

I'm using a digest login in the setup and would like to use sessions to logout user after certain time of inactivity. I have searched through topics including 'session' keyword, but have no found anything relevant to my desire.

Is this even possible? Maybe some libraries required?

Thank in advance


Replies (10)

RE: digest login + session - Added by gstrauss almost 7 years ago

https://en.wikipedia.org/wiki/Digest_access_authentication
https://tools.ietf.org/html/rfc7235

Client browsers will cache user credentials. This is not something that HTTP Basic or HTTP Digest authentication controls from the server side.

One common solution is for your server-side application to issue a session cookie to authenticated users, and either store the cookie on the server in a database (with timestamp of last use) or to refresh that cookie each request with an encrypted value that includes the timestamp of last use. If the cookie sent by the client is too old, then your application should give the client a 401 Unauthorized and send them back to the login page.

RE: digest login + session - Added by yurylankovskiy almost 7 years ago

Thank you for the response!

That's what I have been developing prior to posting the topic. However, there's a question regarding this implementation.

Let's consider the following scenario

1) user logs in and a session cookie is generated on the server and stored on the first get page request
2) user closes browser without logging out, on the logout procedure, by pressing logout button, I delete the session cookie from the server, but in this case the session cookie is left as is
3) after sometime user enters his credentials again and on first get request the session cookie is checked and is expired, I send the user a 401 Unauthorized response and the user is logged out

Is there any way I can catch the step in fcgi when user goes through authorization with digest method? Because otherwise, in the scenario above the user will have to login twice if he didn't logout properly, by pressing the button.

Thank you

RE: digest login + session - Added by gstrauss almost 7 years ago

Loading the login page (on which to enter login credentials) should delete the cookie, so that when a user logs in a session cookie is not sent, because the session cookie does not exist.

RE: [Solved] digest login + session - Added by yurylankovskiy almost 7 years ago

You're exactly right, thank you!

RE: [Solved] digest login + session - Added by yurylankovskiy almost 7 years ago

Although, still I do not think this exactly solves the issue entirely.

Consider for the next example, site main url is test.com and all of the pages under test.com/t/ are accessed after user has successfully logged in.

What you are suggesting is to delete the session cookie from the server when test.com is loaded, however, what if the user's lighttpd digest session has timed out but the session cookie exists on the server and the user opens one of the pages under test.com/t/ he enters his credentials but still gets kicked out because the session cookie is expired.

RE: [Solved] digest login + session - Added by gstrauss almost 7 years ago

I'll repeat what I said earlier: delete the cookie before submitting login info, either when the login page loads, or with some javascript before sending the login info via POST. Wherever you prompt for credentials, reset the session (clear the cookie).

I don't why it should matter if "session cookie exists on server". The client has to send the cookie. If the client does not send the cookie, then ... no cookie was sent. It does not matter if the server has a record of an expired cookie or not. The client did not send a session cookie, and so the server should not be validating a session cookie that was not sent. The server should periodically delete expired session cookies, anyway.

Before asking further questions (which are off-topic for this lighttpd discussion board), please do some experiments on your own.

RE: [Solved] digest login + session - Added by yurylankovskiy almost 7 years ago

This is not an off topic question...

"either when the login page loads, or with some javascript before sending the login info via POST"

Again, I am using digest method, web server is requesting for the login information, I'm not sending any user credentials via POST/GET/etc, and user can load any page besides the login page and the web server will request user credentials. How am I suppose to know whether the login was processed and I can issue a new cookie on the server/client, it doesn't matter really.

Whether I create a cookie on the client or the server, it does not make a difference, in any way I need to know when the user has logged in using the DIGEST method provided by the lighttpd web server. The question is simple, HOW if possible can I know on the server or the client side that the server has requested for DIGEST login information?

RE: [Solved] digest login + session - Added by gstrauss almost 7 years ago

Your session cookie is part of your application. How you manage that is up to you. Since it sounds like you are new to server-side development, I'll give you the hint that handling authentication must be server-side to be secure, and so part of your app must be server-side.

The question is simple, HOW if possible can I know on the server or the client side that the server has requested for DIGEST login information?

The simple answer: handle the authentication yourself instead of using lighttpd mod_auth. Your server-side app should handle generation and validation of session cookie, and should clear the session cookie when sending 401 Unauthorized. If you are generating and validating the session cookie on the client, then that is not secure, as that javascript can be disabled or bypassed. Please re-read that carefully.

HTTP/1.x is a simple request/response without inherent state. If you are using lighttpd mod_auth for Digest auth and the user sends a request without Digest credentials, then lighttpd responds with a request for credentials.

Some time later, the client sends a request and includes Digest credentials. While it is theoretically possible for lighttpd to store nonces to be able to determine if this is the first response with the nonce or not, there is no good reason for this overhead for most use cases, and lighttpd does not expose this to your theoretical server-side app. If your server-side app needs to generate the session cookie which is part of auth (and send Set-Cookie response header), then you probably should handle all the auth in your server-side application, including Digest auth with nonce generation and WWW-Authenticate header. You can use mod_fastcgi with a FastCGI authorizer to handle auth separately from your primary app, or you can handle the auth in your app on the server-side.

If your needs are simple (and your session cookie handling is insecure), you might use lighttpd custom error pages to send some javascript to clear the session cookie whenever a 401 Unauthorized response is sent, or you can write a small server-side app to handle the custom error page which sets Set-Cookie header to clear the cookie. See Docs_ConfigurationOptions for server.errorfile-prefix or server.error-handler

RE: [Solved] digest login + session - Added by yurylankovskiy almost 7 years ago

Thank you for the reply, and sorry for a timely response. I have put this issue aside for some time.

Regarding using the nonce as the identifier to determine if it is the first response, as far as I understand nonce has some lifetime, exactly what it is I could not find out, and looks like it is not configurable.

For example, I have implemented user inactivity algorithm on the server side which takes into account the IP address, hash generated based on HTTP_USER_AGENT and the nonce value, and of course the clock. I verify each request for the IP address, hash and nonce, and then compare clock values to determine if the user inactivity has reached it's set limit. Now the problem is that nonce may change during lighttpd session and the user request comes with a new nonce value, and I take it as a first time response.

Is there anything I can do to make this scheme work properly? Or I have to go with the fastcgi authorizer, or server-side authentication handling?

Thanks again

RE: [Solved] digest login + session - Added by gstrauss almost 7 years ago

Is there anything I can do to make this scheme work properly? Or I have to go with the fastcgi authorizer, or server-side authentication handling?

If lighttpd is handling authentication, then lighttpd is handling authentication.
If your server-side app is handling authentication, then your server-size app should handle authentication, and not lighttpd.

HTTP Basic and Digest authentication are different from sessions. Security policy for nonce lifetimes is not necessarily the same as session lifetimes, and is often quite different since they are very different concepts. Why are you parsing the authentication cookie and using the nonce for session management? (This is not a question for which I care about your answer.) You should encode the session in cookie params (IP address, hashed user-agent, clock, etc, or just your own session ID) with your own encryption key into a cookie which you control, and your session cookie should be separate from lighttpd mod_auth Digest nonce.

You are continuing to overload concepts and are doing so very poorly. You really should study more about session management, as you are not the first person to attempt session management, and you have a very poor understanding of session cookies and HTTP auth Digest, which are separate things. Many other people have solved this "problem" successfully, and have done so in much less time.

tl;dr: Use your own session cookie (recommended), or if you choose to write your own HTTP auth Digest handling, then you ought to study and understand what HTTP Digest is, how it works, and why. I will not be responding to any further posts here.

    (1-10/10)