[Reprinted] Web authentication method access

What is Web Authentication

 

In short, web authentication is a process of verifying the identity of the other party. The most typical method of Web authentication is through the user name and password.

 

Web authentication can be performed in multiple ways.

 

A. Http built-in authentication method

 

1. Http Basic Authentication (Basic Http Authentication)

 

HTTP basic authentication is the simplest authentication method that has been used for a long time. Basic Authentication requires that one user name and password be provided for each protected domain (realm) for authentication.

 

Process introduction:

 

A. The client browser accesses a resource protected by basic http authentication.

 

B. The server returns the 401 (authentication required) status, requiring the client to provide the user name and password for authentication. The Response Header contains the WWW-Authenticate attribute. Its value is Basic realm = "Restlet tutorial ".

 

C. A window pops up on the client to enter the user name and password (basically all browsers provide support for basic authentication, and they all have a built-in user name and password input window ).

 

D. after entering the username and password, the client uses Base64 to encode % username %: % password % and then transmits it to the server through Request Header: Authorization. Therefore, the basic Http authentication is transmitted in plaintext, security risks are high. For example, Authorization: Basic xxxxxxxxxx.

 

E. If the authentication succeeds, the corresponding resource is returned. If the authentication fails, the system jumps back to B and performs the authentication again.

 

Features:

 

*. Http is stateless. Even if it comes from the same client, authentication is required for each access to resources in the same realm.

 

*. The client caches the user name and password and saves them with the authentication domain (authentication realm. Therefore, if you access other resources in the same domain (realm), you do not need to re-enter the user name and password.

 

*. The logon information is stored together with the authentication domain and server name, so it can be distinguished from other logon information.

 

* The basic authentication method is insecure because the user name, password, and content are transmitted in an unencrypted manner.

 

2. Digest Authentication (Digest Identity Authentication)

 

Digest authentication is a challenge-response-based authentication mode.

 

Process introduction:

 

A. The client initiates a request without authentication information ).

 

B. The Web server returns a response (401) with the WWW-Authenticate header, requesting authentication.

 

C. The client returns the digest information of the user name and password (for example, MD5 encryption) instead of plaintext.

 

D. If the authentication succeeds, the corresponding content is returned. Otherwise, continue B.

 

Features:

 

* Digest authentication is mainly used to solve the biggest vulnerability in basic authentication, that is, to transmit the user name and password in plaintext.

 

*. Challenge Mode: each time a 401 response is returned, a nonce (number used only once) is returned ). Or, for the sake of security, other methods such as one-time nounce (each request gets a different nounce) may be used to enhance security.

 

*. Checksum (MD5 checksum by default) is username, password, nonce value, HTTP method, and checksum of the requested URI.

 

*. Security Risk: although the password is not transmitted in plain text, hackers can still use the digest value to access the website. In addition, it does not encrypt the content.

 

B. Form-based

 

Form-based authentication is highly customizable and should also be one of the most commonly used authentication methods.

 

Process introduction:

 

1. The client uses a form to post the user name and password to the server.

 

2. The server uses some logic to determine whether the authentication is valid.

 

3. If the authentication succeeds, the server returns a cookie (a cookie that uniquely identifies the client, such as sessionId) for subsequent client access. If the authentication fails, the user is prompted to re-enter the user name and password for re-authentication.

 

Features:

 

*. Highly customizable: You can implement the authentication logic as needed.

 

* The server must have a place to store client information, such as session.

 

* The client must have a cookie to indicate its identity. Generally, it is a combination of username and a cookie value (such as sessionId.

 

*. The life cycle and security of client cookies are closely related. For example, many websites now support "remember me", which means remember session on the server side and remember cookie on the client side. For better security, some sites require users to log on again using the user name and password if they need to perform some important operations such as password change.

 

C. certificate authentication

 

Certificate authentication is the safest way than other methods.

 

The role of digital certificates is described in detail in this article.

 

D. authentication methods provided by Microsoft

 

These authentication methods are provided by Microsoft and are not described too much.

 

1. NTLM, IE only.

 

2. Microsoft Passport (Single Signon ).

 

Many websites now haveRemember logon status. For example, gmail and Douban.

 

Now let's use Douban to see how it works.Remember me.

 

For DoubanLogon page:

 

 

1. Do not select "remember me"

 

We can obtain that the Set-cookie value in the response header of the login page is.

 

ue="xxxxx@gmail.com"; domain=.douban.com; expires=Thu, 01-Jan-2012 00:00:00 GMTdbcl2="1123439:yhsdfd1yvQ"; path=/; domain=.douban.com

 

The ue is the user name, And dbcl2 is user identification similar to sessionId.

 

We can see that this is a standard form-based authentication method.

 

2. Select "remember me"

 

The response is as follows:

 

 

ue="xxxxxx@gmail.com"; domain=.douban.com; expires=Thu, 01-Jan-2012 00:00:00 GMTdbcl2="1123439:vY9ssdff0"; path=/; domain=.douban.com; expires=Wed, 25 Mar 2009 07:29:59 GMT

 

The only difference with the former is that a validity period value is added after dbcl2, which is just a month.

 

We can see that, in essence, the session is remembered on the server side, and the cookie is remembered on the client side for one month. The same cookie is used to access the server within one month.

 

Verify and re-access. The same cbdl2 value is used.

 

Problem

 

Obviously, the biggest problem here is security.

 

If the cookie is stolen, hackers can log on to the database using the dbcl2 value.

 

How can this problem be solved? Many sites impose restrictions on user behavior using this method. They can only perform operations such as viewing information, rather than performing security-level operations such as modifying passwords. If you want to change the password, you are required to log on again.

 

Of course, many websites need to enter the old password when changing the password, which is equivalent to a similar protection.