Feature #714

Login framework for µWeb

Added by Elmer de Looff about 12 years ago. Updated about 12 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Spent time:


Develop a universal login framework for µWeb.

For clients that support it (through Javascript), it provides a secure challenge handshake where the password is client-side hashed with a salt first, and with a challenge after (to prevent replay attacks by listeners). For clients that don't support hashing (SHA1) in Javascript, there is a fallback method that sends a plaintext password.


#1 Updated by Elmer de Looff about 12 years ago

  • Assignee changed from Elmer de Looff to Jan Klopper

This is being developed in my homedir in the underdark project, and is now at the stage where I need an example Javascript implementation that provides the necessary hashing.

There is a JSON interface that expects a POST with a regular form-encoded variable 'username' under which the username should be present. The return value for this will be a JSON object with a salt and a challenge. The client should hash as follows:
  • intermediate = SHA1 -- the salt should first be decoded from Base64
  • result = SHA1 -- the intermediate should be the BYTES resulting from the hash (not the hexdigest) and the challenge should be decoded from Base64
When the user submits, there are two possible paths:
  • Plaintext: there are two fields: 'user' and 'password', which contain the plaintexts of both
  • Challenged: there are two fields: 'user' and 'salted', of which the user field contains the plaintext username, and the salted field is the result previously acquired, in Base64 form.

The current implementation/demo is blocking on a SHA1 hashing library and the necessary Javascript attention.

#2 Updated by Elmer de Looff about 12 years ago

The example SQL contains a single user 'Elmer' with the password 'koekjes'.

#3 Updated by Jan Klopper about 12 years ago

  • Target version set to µWeb alpha release

#4 Updated by Jan Klopper about 12 years ago

  • Due date set to 2012-04-13

#5 Updated by Elmer de Looff about 12 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 30 to 100

This has been implemented and rolled out (as of r198). Demo case has been added to the uWeb info project.

Also available in: Atom PDF