I would like to auth my users on an Active Directory server to access a webserver. However I don't want the passwords to be sent in clear to the webserver.
All the solutions I have found use a POST request with the plain password such as this example:
<?php
// using ldap bind
$ldaprdn = 'uname'; // ldap rdn or dn
$ldappass = 'password'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldap.example.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
?>
Is there a way to hash the password on the client side then send a token to the backend which is used to authenticate to the LDAP server?
PHP is just an example, my question is not language specific.
If you know the hashing algorithm of the LDAP-backend then you might be able to hash the password in javascript and send only that to the server. That would mean though that your LDAp-authentication script needs to be able to read all the password-hashes to be able to compare them to the prehashed password.
I'd consider that a higher risk than sending the cleartext-password via a TLS-secured HTTP-connection (aka Https) to the server that then uses the default bind-mechanism also via a tls-secured (ldaps or starttls).
And as you are not using the bind-mechanism all possible enforcements of password-policies or locked passwords that are readily available and implemented and supported by your direcrory-admins now need to be rebuilt and maintained by yourself also.
Related
Good morning!
I have currently a django/angular application where my users use LDAP auth with multiple domains. I would like to get (via server-side or via frontend) the user dns domain, by meaning the equivalent to the environmental variable %USERDNSDOMAIN% in Windows so I can use dinamically this variable inside the server-side instead of having multiple url for each domain so I can have a global LDAP auth.
For now I have the user IP, which is obtained directly from the request via django request:
request.META.get('REMOTE_ADDR')
So far I have tried getting the DNS from the given ip by using python dns library:
dns.reversename.from_address("REQUEST_IP")
and also using the python sockets library
socket.gethostbyaddr('REQUEST_IP')
The first one works but does not give the result I am looking for, and the second one does not work properly:
---> 10 socket.gethostbyaddr('REQUEST_IP') herror: [Errno 1] Unknown host
Have a good day!
I cannot sucessfully log in onto our SFTP server using ex-sftp, which is part of Bizzflow.net. When I try to use credetials in any SFTP client, it works, but using Bizzflow.net extractor ends with incorrect name or password error message.
the issue is when username uses some non alphabetical characters. Typically, when SFTP is hosted on Windows server and login uses domain\username format, this issue occurs. The reason is the ex-sftp does not encode username correctly. Best solution would be to use local username without domain\ prefix. Also you can submit bug to ex-sftp on https://gitlab.com/bizzflow-extractors/ex-sft
My config file looks like this:
ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_start();
//database connection part...
When accessing this page via https://www.mysite.com/config.php, the PHPSESSID cookie it's "Secure" slot is empty. Visiting the page via http://www.mysite.com/config.php shows the exact same cookie, with the same value.
I'm new to this so maybe I'm wrong, but this shouldn't happen, right? What am I doing wrong?
Thanks!
The ini_set method requires a string value so update your code to the following:
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.use_only_cookies', '1');
session_start();
The session id will be sent to the client regardless of HTTP or HTTPS. You must make this distinction in your code because, apparently, PHP does not.
Fiddle with this on http (not https), leave cookie_secure set to 'on'. You will see that the cookie is transmitted to the client. (Use your favorite cookie analysis here.) But, on reload, the cookie is not submitted back to the server. cookie_secure - the client will transmit the cookie only over a secure connection.
<?php
ini_set('session.cookie_secure','on');
session_name('test');
session_start();
session_regenerate_id();
echo "test: '".$_COOKIE['test']."'";
?>
Change the setting to 'off' and, after the second reload, you will see that the session cookie is transmitted back to the server.
To validate that you on a secure connection and should even call session_start:
<?php
$secure = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] != "" );
if(!$secure) {
$r = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
header("Location: $r");
exit("use https!");
}
//if($secure) {
session_start();
/* and other secure happenings;;; */
//}
?>
or How to find out if you're using HTTPS without $_SERVER['HTTPS']
Note: This looks like a security flaw in PHP, to me, since the session id will be transmitted in cleartext: according to OWASP this is exactly what the SecureFlag is intended to prevent. https://www.owasp.org/index.php/SecureFlag --- I am using PHP 5.5.8 ; Perhaps this is a 'feature' of the language. The definition seems to be directed solely toward the client and not the server.
I need associate logged users in my django web app with their socket.io sockets in node.js app, because for real-time part of web i want to use node.js. Session data will be stored in database. I think i can access cookies in browser, so i can send to node.js app cookie value, that acts like user identifier, but i think this isn't good idea. Is there any other way how to do this?
The cookie can be accessed inside the authorization event. So if you're already using a cookie to store session authentication data, it's pretty easy to integrate that into socket.io. There are some pre-built modules for doing this sort of thing, like SessionSockets.
This article gives some insights into how to do it yourself. The most important section is exerpted below:
var parseCookie = require('connect').utils.parseCookie;
sio.set('authorization', function (data, accept) {
// check if there's a cookie header
if (data.headers.cookie) {
// if there is, parse the cookie
data.cookie = parseCookie(data.headers.cookie);
// note that you will need to use the same key to grad the
// session id, as you specified in the Express setup.
data.sessionID = data.cookie['express.sid'];
} else {
// if there isn't, turn down the connection with a message
// and leave the function.
return accept('No cookie transmitted.', false);
}
// accept the incoming connection
accept(null, true);
});
sio.sockets.on('connection', function (socket) {
console.log('A socket with sessionID ' + socket.handshake.sessionID
+ ' connected!');
});
I am currently in the finishing stages of building an application and have asked the user group to perform production-level usage testing on the application. My application is a makeshift order management system that sends an email to a customer when an order is saved that includes an invoice.
I ran into a problem yesterday when I was doing some testing; this environment currently contains production-quality data, including old customer records. I processed a few orders and forgot about the functionality, and the customer who I did the orders for received emails saying the order is complete. Good that it worked, bad that it lead to this confusion.
The action I would prefer would be to set something somewhere within the application that forces all emails, regardless of the to recipient, to be sent to a specific address, though I would settle for simply being able to turn it off for this application alone. Turning it off on the server level is available not a preferred option due to the need to perform testing on other applications that process email, but are not populated with production-quality data.
Are there any specific flags or code I can use to override server settings in the application to only send email to a certain address based on how we identify our environment, or to not send email altogether?
Reference this page:
http://cookbooks.adobe.com/post_How_can_I_use_Application_level_SMTP_Server_Settin-16469.html
For testing purposes you could set the SMTP server to a non existant IP address. The cfmail routine will still work and coldfusion will move it to an undeliverable folder.
You could add <cfif> statements around it to determine if your on a production URL or dev URL so that it uses the right server while on the production server, or uses the "fake" server while on your development server. OR while on the production server, have an on/off variable that you could use to test emails through your smtp server or shut off emails and route them to the fake SMTP server.
If your on version 8.0 or older, you can setup an application level variable for your mail server and modify your cfmail tags to reference:
<cfmail server="#application.mailserver#" to="" from="" subject="">
This solution presumes you use the same mail server but just want to swap emails to a test address (perhaps yours, so you can see the result). It also presumes your live server name resolves to something that has 'www.something.somethong.' and your dev/test/qa etc servers do not.
In your Application cfc onApplicationStart() try this:
<cfscript>
if(listFirst(CGI.SERVER_NAME,'.') != 'www') {
Application.szEmailToTestEnv = 'test#somewhere.com'; // Use your test email here
}
</cfscript>
Then where you send the email have a bit of logic infront of your mail param such that:
<cfscript>
if(isDefined('Application.szEmailToTestEnv') && len(Application.szEmailToTestEnv)) {
Variables.szEmailTo = Application.szEmailToTestEnv;
} else Variables.szEmailTo = Variables.qCustomerEmail;
</cfscript>
And then in your cfmail:
<cfmail to="#Variables.szEmailTo#"....
Adjust scopes and variable names and value as necessary.
Essentially, any 'site' (say dev.yoursite.com) that is not your live site will then use the test email you set at app startup to send the email and live will continue to use the correct customer email with no code changes between your live and test code.