How can I improve HTTP Basic Authentication?
I am currently working on a API site based on Zend Framework. As ZF doesn't have sufficient support for Digest Authentication and it is too late to shift to another framework now, I am thinking of implementing Basic Authentication.
Basic and Digest are not actually the ideal way to perform authentication, while Digest is better but unfortunately not quite supported by Zend (implementing it properly will take too much work, need the project do开发者_如何学Gone asap). One of the big problem with Basic auth is that password is sent in cleartext form. I am thinking instead of sending the password in cleartext form, can I somehow hash it using one-way-hashing algorithm / bcrypt to avoid sending password in cleartext form? But it is still suffering from man-in-the-middle attack though.
But if comparing the basic authentication with current form-based authentication used by most web-apps, are they both sharing the same security problem while transferring the request to the server?
Your best option for keeping the request secure is to use SSL for your authentication requests to ensure that the information isn't sent in plaintext.
If you try to do some kind of hashing or encryption on the client before sending the authentication request, you immediately expose your hashing algorithm and any salts you might be using to malicious users. This makes it possible for them to use dictionary attacks against your server.
But if comparing the basic authentication with current form-based authentication used by most web-apps, are they both sharing the same security problem while transferring the request to the server?
Absolutely they are. Again with forms based authentication your best bet is to use SSL.
Alternatively, you might consider using an external authentication service like OAuth.
Hum, Zend Framework has an Digest Adapter for Authentication?
Manual: Zend Digest Authentication
You could always write your own Zend_Auth_Adapter
for HTTP authentication. I implemented Zend_Auth_Adapter_Http_Resolver_Interface
to have different passwords each day in the format of default password + day + month. Works like a charm!
精彩评论