Novel Website Access Control

[aldra]

I'm currently writing up a small security module to keep people out of my web apps, and I've been thinking about unusual ways of doing so.

For example, there's basic stuff like ip filtering or the password screen, which can be hardcoded, saved/hashed in database, processed via ldap etc, but that's boring.

I've been playing around with the idea of using custom HTTP headers to authenticate - for example, you can only view secret.php if you have the HTTP header 'x-secret-allowed YES'.

Another example would be captchas - captchas are boring, but I've seen a few interesting takes on it like randomly loading pictures from the RSPCA website and saying SELECT THE CAT!


anyway, I'll post source soon, anyone got other interesting ideas? They don't need to be super secure.

[Lanny]

You probably already realize this but the header approach without SSL is morally equivalent to sending your password in plaintext with every request. With SSL it's not unreasonable, but "Cookie" is a header so it ends up being a pretty similar setup, the only difference is you need to modify you browser's behaviour for it to work.

If you wanted to get fancy you could do a thing where the server stores a public key. On every request it sends a 302 with an additional header which is an ephemeral symmetric key under encryption by the public key, then the page redirected to is the webpage under the ephemeral key, so the client can decrypt the sym key while doing the redirect and decrypt the page after. If KEX is secure then you have a theoretically secure protocol that (depending on asym algo) is immune to MitM, but it's still a poor man's SSL.

Another way might be to firewall your webserver from receiving any external requests and ssh tunnel. That way you get free crypto and it's pretty portable.