Authenticating with Javascript? 1

[oppcos]

Hi,
I'm using ssl and Basic Authentication on my IIS website. I need to have my own custom login page however and this authentication is causes a popup. Is there any way to send the credentials via javascript to the webserver when they click login on my form (and are sent to the secure area)?

I would like to maintain the server side authentication as it is since it puts the username in the server log files and so that I don't have to figure out a way to add special security to each and every file on the web server. Any pointers or suggestions would be greatly appreciated.
Thanks

 

[Sheco]

Are you saying that you have two different types of authentication?

The user must authenticate with the server's file system in order to receive web pages and additionally it must authenticate with your web application for another reason?

 

[manarth]

I'm using ssl and Basic Authentication

Basic authentication causes a popup. The only way to avoid the popup is to encode the username/password into the url in the form:[ignore]
http://[/ignore]usernameassword@[ignore]www.example.com/protected/[/ignore]

Obviously this has it's own security risks.

Session-based security is better, and on IIS could be implemented via ASP.

Something you see from time to time on corporate PCs is Kerberos Authentication - users who are logged onto a domain have their login credentials passed automatically by IE to the web server, which authenticates them against the domain controller.

Last time I checked, Kerberos Auth was specific to IE (there was a Moz module, but it required configuring and compiling your own version of Moz - binaries not available).

---
Marcus
better questions get better answers - faq581-3339
accessible web design - zioncore.com

 

[oppcos]

Sheco, no, the issue is that the popup box doesn't necessarily work for the way the app is setup (plus it is kind of ugly that way). For instance, the username/password sent to the server may go through some extra phases before I want it to land at IIS's system.

I've been researching this for a week with no luck but now that I've posted it as a question I stumbled upon a solution using XMLHttpRequest. If anyone else is looking for a similar solution, here's the snippet of code sample that set off my lightbulb:

<script>
    var xmlHTTP = new ActiveXObject("Microsoft.XMLHTTP");
    xmlHTTP.open("get","[URL unfurl="true"]http://www.whatever.com/logon",[/URL] & _
        false, strUser,strPwd);
    xmlHTTP.send("xmlDoc");
    document.write (xmlHTTP.responseText);
</script>

Sorry, lost attribution (search Google groups).

manarth, I didn't know the usernameassword@url.com thing either, thanks for that. Using Javascript I can have more control over the aesthetics, however if they have javascript disabled I may be able to default to a link like that, so have a star.

Using SSL and Basic Authentication has some great benefits though as I can manage users and groups via Active Directory, set permissions straight on the file system, have the user names show up in the log files, and not depend upon just one server side language to pass session security - I can even use the same security on static files such as pdfs and plain html. I agree that without the SSL to encrypt things it would be a bad idea, however.

Thanks!