This project is archived and is in readonly mode.

#2209 ✓resolved
Don Parish

Patch #3 for HTTP Digest Auth

Reported by Don Parish | March 11th, 2009 @ 06:50 AM | in 2.x

This patches supersedes #2000. The current HTTP Digest authentication seems to be broken in Rails 2.3.1 in my tests in the browser and curl. The tests pass, but it seems to fail real life :)

The new behavior of Rails is that sessions will be turned if they are not referenced in an action. The existing code uses the session_id to make the nonce. In the functional tests, this passes because session_id = "". However, when testing a simple controller in the browser, the session_id is +nil+, and throws an exception when calculating the opaque.

I've added a test to catch this behavior. I've also modified the code as described in #2000 to allow a hashed version of the user's credentials to be stored (ha1 hash) as well as the plain text password. This is consistent with the intention of digest auth and the implementation in Apache.

I know this may be too late to get into 2.3, but since HTTP Digest has been advertised as a new feature, I wanted to help make it work.

Comments and changes to this ticket

  • Don Parish

    Don Parish March 12th, 2009 @ 02:42 AM

    Cleaned up git commits so changes easier to follow. Patch has 3 commits: fix for earlier commit, support for using digested password, and support for session-less connections.

  • Gregg Kellogg

    Gregg Kellogg March 12th, 2009 @ 06:09 AM

    I think it's important to get these patches in, but there should be a follow up to deal with the potential unavailability of the session_id. This could be done either by promoting nonce, validate_nonce and opaque to ControllerMethods so that they can be overridden, or to create some other method, such as "nonce_seed" that can be implemented by an application to provide a more secure seed than a potentially unavailable session_id. The advantage of promoting nonce is that a truly persistent nonce value could be saved in the database to allow for the intended semantics of Digest Authentication. The OAuth plugin does this, for example. It can default to the existing method.

  • Repository

    Repository March 12th, 2009 @ 02:36 PM

    • State changed from “new” to “resolved”

    (from [be7b64b35aac1c9e9063d1d8317f8b1be2a3411c]) Support MD5 passwords for Digest auth and use session_options[:secret] in nonce [#2209 state:resolved]

    Signed-off-by: Pratik Naik pratiknaik@gmail.com http://github.com/rails/rails/co...

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Attachments

Referenced by

Pages