Project

General

Profile

Feature #714

Login framework for µWeb

Added by Elmer de Looff over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jan Klopper
Category:
PageMaker
Target version:
µWeb alpha release
Start date:
2012-03-27
Due date:
2012-04-13
% Done:

100%

Estimated time:
Spent time:
10.50 h

Description

Develop a universal login framework for µWeb.

For clients that support it (through Javascript), it provides a secure challenge handshake where the password is client-side hashed with a salt first, and with a challenge after (to prevent replay attacks by listeners). For clients that don't support hashing (SHA1) in Javascript, there is a fallback method that sends a plaintext password.

History

#1 Updated by Elmer de Looff over 12 years ago

  • Assignee changed from Elmer de Looff to Jan Klopper

This is being developed in my homedir in the underdark project, and is now at the stage where I need an example Javascript implementation that provides the necessary hashing.

There is a JSON interface that expects a POST with a regular form-encoded variable 'username' under which the username should be present. The return value for this will be a JSON object with a salt and a challenge. The client should hash as follows:
  • intermediate = SHA1 -- the salt should first be decoded from Base64
  • result = SHA1 -- the intermediate should be the BYTES resulting from the hash (not the hexdigest) and the challenge should be decoded from Base64
When the user submits, there are two possible paths:
  • Plaintext: there are two fields: 'user' and 'password', which contain the plaintexts of both
  • Challenged: there are two fields: 'user' and 'salted', of which the user field contains the plaintext username, and the salted field is the result previously acquired, in Base64 form.

The current implementation/demo is blocking on a SHA1 hashing library and the necessary Javascript attention.

#2 Updated by Elmer de Looff over 12 years ago

The example SQL contains a single user 'Elmer' with the password 'koekjes'.

#3 Updated by Jan Klopper over 12 years ago

  • Target version set to µWeb alpha release

#4 Updated by Jan Klopper over 12 years ago

  • Due date set to 2012-04-13

#5 Updated by Elmer de Looff over 12 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 30 to 100

This has been implemented and rolled out (as of r198). Demo case has been added to the uWeb info project.

Also available in: Atom PDF