3

I've set up lighttpd on my embedded device and configured the modules in the lighttpd.conf When accessing the web pages from Chrome or Firefox from the PC I get asked for the username and password and after I supplied them the page loads.

When I do the same on the iPad or iPhone Browser I also get the authentication dialog but for some reason it pops up repeatedly.

Using the mod_accesslog module i was able to see, that the iPad still makes requests without using the authentication which results in HTTP 401 for some request:

192.168.2.33 192.168.2.247 wwwX [10/Apr/2011:16:01:30 +0200] "GET /[...] HTTP/1.1" 304 0 "http://192.168.2.247/" ...
192.168.2.33 192.168.2.247 wwwX [10/Apr/2011:16:01:30 +0200] "GET /[...] HTTP/1.1" 304 0 "http://192.168.2.247/" ...
192.168.2.33 192.168.2.247 - [10/Apr/2011:16:01:33 +0200] "GET /[...] HTTP/1.1" 401 351 "http://192.168.2.247/" ...
192.168.2.33 192.168.2.247 - [10/Apr/2011:16:01:56 +0200] "GET / HTTP/1.1" 401 351 "-" ...

I also tried to add the mod_access module but that did not change anything.

Does the problem lie in the browser or the lighttpd webserver or its modules/configuration? How can it be fixed?

The relevant parts of my lighttpd.conf file look like this:

# mod_auth must be loaded before mod_fastcgi
server.modules = (
    "mod_auth",
    "mod_cgi",
    "mod_fastcgi"   
)

The section with the mod_auth configuration looks like this:

auth.debug = 0
auth.backend = "plain"
auth.backend.plain.userfile = "/tmp/lighttpd-plain.user"
auth.require = (
    "/" =>
    (
        "method" => "digest",
        "realm" => "myRealm",
        "require" => "valid-user"
    )
)

edit:

One thing that I forgot to mention was that the Web page makes AJAX requests using jQuery. The requests don't set the username and password variables. On all browsers this works without problems after the user has authenticated himself via the browsers popup dialog.

I think the AJAX requests on Safari might be the ones that don't use any credentials and thus get the 401 etc. Is there a way to make it use the the credentials the user provided in the dialog box?

trenki
  • 131
  • 3
  • Have you found a solution to this problem? – jftuga Nov 05 '12 at 18:46
  • No, I have not found a general workaround. Making the cgi script that my Ajax calls used accessible without credentials worked for my specific case though. – trenki Nov 05 '12 at 19:35

1 Answers1

-1
auth.require = (
    "/" =>
    (
        "method" => "digest",
        "realm" => "myRealm",
        "require" => "valid-user"
    )
)

That's because you're using digest authentication which is not supported / buggy on some browsers. You should either use basic method (which is not secure) or implement your own authentication using cookies. If you're interested in a secure and efficient authentication solution (build-in protection againts brute-force attacks and account sharing) please check our site: finesec.com

FINESEC
  • 1,371
  • 7
  • 8
  • Is it still insecure over https? – jftuga Nov 06 '12 at 16:55
  • If you use https on every page then it's secure. There're still some problems with efficieny, because with basic/digest authentication username/password is verified on each request (for every html page, css file, image, etc). – FINESEC Nov 06 '12 at 17:40
  • Also there's no way to logout when basic/digest authentication is used (you need to close the browser in order to logout). – FINESEC Nov 06 '12 at 17:51
  • Please add a comment if you're voting down. – FINESEC Nov 07 '12 at 22:29