Update: digest authentication implemented.
Since basic authentication is unsecure, username and password are sent unencrypted (base64 encoding) over the network, everyone can see your credentials.
Here is where digest authetication is coming to rescue. Digest authentication never transfer your password over the network, only username. Password is hashed using following formula:
A1 = MD5 (username + ":" + realm + ":" + password) A2 = MD5 (method + ":" + uri) digest = MD5 (A1 + ":" + nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + A2)
A1 = MD5 (username + ":" + realm + ":" + password) A2 = MD5 (method + ":" + uri) digest = MD5 (A1 + ":" + nonce
+ ":"
+ nc
+ cnonce
+ qop + ":" + A2)
In order to use digest authetication overy Tersus PHP Proxy, you need two things in your application:
1. Authorization module (same like basic authentication).
2. Authenticate module (application example attached bellow).
Authenticate module can be <Welcome> service (default) or it can have any other name you choose. It is only important to reside in root of your application (system). Proxy will call this service to authenticate user depending on your configuration.
Parameters:
[digest] = service name, can be Welcome (without <>), or any other name you choose for your authentication module
[basic] = username used for basic authentication (default Super). It will be used as password too.
Explanation: your application is protected by basic authentication at first. This is only for your local network or if someone is able to reach your server bypassing proxy. It is also used to specify which part of application you want to be protected. At higher level, your application is protected by digest authentication between your server and the client via proxy. In order to work, digest authentication need to know which credentials can be used to authenticate proxy using basic authetication. Then, proxy is calling your service using parameters contained in above forumula. In this way, it is impossible to know which password client and yor server are sharing.
Note: attached sample is using Super user as example for simplicity. Since all permissions are granted to user Super, it is better to replace Super user by Guest or any other user with lowest possible permisssions, but still able to execute Authenticate module.
Enjoy.
P.S.
Use User/User for Kangaroo authentication if my server is online. Super/Super is disabled by digest authentication (see atached example).
Kangaroo.tersus
To use the full functionality of this web site, JavaScript needs to be turned on.
For best results, use the Firefox browser..
Copyright © 2003-2017 - Tersus Software Ltd., All rights reserved. Terms of Use License Graphic design by EmaraDesign
