HTTPOnly ?

September 2nd, 2008 Tagged Cookies, OpenSignOn, OpenSignOn
Posted in OpenSignOn, Web Development

The XSall implementation of OpenSignOn is not using the HTTPOnly flag now. I don’t see any XSS problems but perhaps it would not hurt to implement it. An extra wall always helps.

Clickpass OpenID

March 12th, 2008 Tagged Clickpass, OpenSignOn
Posted in OpenSignOn, Web Development

Clickpass OpenID launched yesterday. They seem to make OpenID more usable. This is good. Perhaps we can add them as an XSall ID Provider.

Perl HTTP_AUTHORIZATION test

October 10th, 2007 Tagged Apache, Authentication, OpenSignOn, Perl
Posted in OpenSignOn, Perl

Basic HTTP_AUTHORIZATION

Theo wrote a HTTP_AUTHORIZATION test. If you have mod_rewrite enabled on your Apache 2 server put the following files in some folder. If you go to index.cgi from your browser it will show the default login box. Just enter some username / password and they will be shown on the page. Very cool Theo. Thanks.

This will help me create the first XSall tests without using mod_perl. If someone likes to create a Digest example please do? I like to test it and perhaps blog about it.

.htaccess

RewriteEngine on
RewriteRule \.cgi$ - [E=HTTP_AUTHORIZATION:%{HTTP:AUTHORIZATION},L]

index.cgi

#!/usr/bin/perl

use strict;
use warnings;
use CGI ‘:cgi’;
use MIME::Base64;

binmode STDOUT;

my ($user, $password);
my $auth = $ENV{HTTP_AUTHORIZATION};

if(defined$auth and $auth =~ /^Basic\s+/) {
$_ = decode_base64($’);
($user, $password) = split(‘:’); # What is the username or password contains a “:”?!
}

if(!defined($user) or $user eq ‘‘) {
print “Status: 401\r\n”;
print “WWW-Authenticate: Basic “;
print “realm=\”testers\@taletn.com\”\r\n“;
print “Content-Type: text/plain\r\n”;
print “\r\n”;
print “401\n”;
exit 0;
}

print “Content-Type: text/plain\r\n”;
print “\r\n”;
print “Authorization: $auth\n”;
print “User: $user\n”;
print “Password: $password\n”;
exit 0;

Access $ENV{’HTTP_AUTHORIZATION’} from Perl/CGI update

October 8th, 2007 Tagged Apache, Authentication, OpenSignOn, Perl
Posted in OpenSignOn, Perl

I wrote about the code from Munzli yesterday. It seems there where some copy and paste errors on his Blog. When I enabled mod_rewrite on my Apache 2 test PC Munzli’s code was not working even when I changed ‘o’ to ‘on’. The code that works for me is:

<ifmodule mod_rewrite.c>
RewriteEngine on
RewriteRule myscript.cgi - [E=HTTP_AUTHORIZATION:%{HTTP:AUTHORIZATION},L]
</ifmodule>

You can also write RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:AUTHORIZATION},L] to get it to work on any script. I still need to read about the PT or QSA you can put before the ,L.

Access $ENV{’HTTP_AUTHORIZATION’} from Perl/CGI

October 7th, 2007 Tagged Apache, OpenSignOn, Perl
Posted in Links, OpenSignOn, Perl

It seems this change in the Apache 2 http.conf :

<ifmodule> RewriteEngine o RewriteRule ^scriptname(.*) scriptname$1 [E=HTTP_AUTHORIZATION:%{HTTP:AUTHORIZATION},PT,L] </ifmodule>

will give me access to the $ENV{'HTTP_AUTHORIZATION'}Environment Variable in perl without using Mod-Perl. I still have to try it but this looks promising. Thanks Munzli. More here.

OAuth Core 1.0 Draft 4 was released October 3, 2007

October 6th, 2007 Tagged Authentication, OpenSignOn
Posted in Links, OpenSignOn

It seems they forgot Domain Clouds like I will use for the XSall Authentication. Still it is some interesting draft to read.

Subscribe

Recent Posts

Categories

Archives

Links

Meta