Basic Authentication for Webapplication

Hello,

I want to implement a basic authentication in my web app.

I know there is a posibility to do this on a SpecialUrl Basic Authentication on SpecialUrl but I wasn’t able to get this authentication result back to my Session.

So is there a way to perform a basic authentication within a web session?

While it can be done, I’d save my sanity and spend the €99 to buy a license to Christian’s “Web Starter Kit” as it contains that and so much more for session management.
MBS Web Starter Kit

Thanks for the reply.
I’ve tried that before and used a SecurityScanner on my application.
The problem was, that the SecurityScanner was able to bypass the authentication and to alter some of the data.
So I explicitly want to use Basic Auth which I can also pass through the Apache as a reverse proxy.
With mod_security I can then block brute force attacks and other security breaches.

Unfortunately I have no access to the logged in user if I’m using the authentication of the apache webserver itself.

@Christian Schmitz - can you comment on Mario’s description?

[quote=368960:@Mario Schweda]Hello,

I want to implement a basic authentication in my web app.

I know there is a posibility to do this on a SpecialUrl Basic Authentication on SpecialUrl but I wasn’t able to get this authentication result back to my Session.

So is there a way to perform a basic authentication within a web session?[/quote]
Try that same thread, but use App.HandleUrl instead. You can actually interrupt a session connection before it starts there when Request.Path = “”. Just make sure you return False if a request is allowed to go through, otherwise no one will be allowed to connect.

If you need basic authentication, that’s something you can do in HandleSpecialURL for a web service you created yourself.

My WebStarter Kit doesn’t do that. But it does a to of other things.

okay that’s working so far but how do I sneak the username / password into the application?
I added a property named authenticated to the session.
The problem is, that the event App.HandleUrl has no access to the Session.

If user comes to a webpage, you can check session’s header properties.

For offering API, you don’t use session, but check headers from the request object.

1 Like

So the username and password are passed through the headers?
I suppose that’s not very secure. A man in the middle could easily sniff the headers out of the session.

For that you use SSL.

okay never mind…

FYI, any time you use Basic Authentication, the username and password are sent in the header, not just with Xojo. You should always use SSL when sending any kind of user credentials over a network connection, regardless of the programming language you use.

I know that. Thanks for mention that.
It’s just a bit frustrating that there is no standard Basic and/or Form authentication included at Xojo.
If I want to write a simple (web) application, I always have to use workarounds or thirdparty plugins to achieve what’s pretty standard at other development frameworks.

For the application I want to write this time I need about 5 or 6 external plugins.
Some of them are bundeled, for some of them I have to buy several plugin packages of the same developer.

But that has nothing to do with this thread, so I’m going to stop wining about good times and find a workaround for all the missing parts.

Thanks anyways for your help guys.