[asterisk-bugs] [Asterisk 0010961]: [patch] Add HTTP Basic Authentication Scheme (rfc2617) for manager web interface.

noreply at bugs.digium.com noreply at bugs.digium.com
Mon Dec 10 09:17:45 CST 2007 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=10961 
====================================================================== 
Reported By:                ys
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   10961
Category:                   Core/HTTP
Reproducibility:            N/A
Severity:                   feature
Priority:                   normal
Status:                     new
Asterisk Version:            SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!): 85514 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             10-12-2007 06:48 CDT
Last Modified:              12-10-2007 09:17 CST
====================================================================== 
Summary:                    [patch] Add HTTP Basic Authentication Scheme
(rfc2617) for manager web interface.
Description: 
I found, that manager web interface used "Cookie" Header for authenticate
the user. This require two http request, one for authenticate and next for
commands.
This patch add only Basic authentication scheme implementation, as defined
in rfc2617.
If used this scheme, httptimeout are unused, but we don't need to keep a
http session (and mansession) alive, after HTTP Request is processed.







====================================================================== 

---------------------------------------------------------------------- 
 msetim - 12-10-07 09:17  
---------------------------------------------------------------------- 
WoW! IMHO, I think that it's not so insecure that pass the user and
password using get parameters from URL. I'm right?

I see two problems using the actual method:

1. Any network monitoring can detect the URL ( In basic HTTP too, so it's
not so easy to see )
2. Anyone can connect to manager only typing a URL with user and pass ( In
a call center context it's is very insecure )

Well, I'm not a network specialist however it's my two cents. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
12-10-07 09:17  msetim         Note Added: 0075125                          
======================================================================

More information about the asterisk-bugs mailing list