|
| Home |
|
|
SecurityTwo methods of security are provided. The first method allows the server to authenticate web requests based on the IP address of the requestor. To set up this method, a list of IP addresses and masks is passed to http_set_browser_list. If this feature is turned on by a call to http_set_browser_list and any request arrives with an IP address not specified in the IP address list, the connection is reset. The second method, Basic Authentication, is specified in RFC 1945. It provides the ability to force the browser to authenticate itself for specific web pages. The authentication consists of a user name and password which is 64 bit encoded. This authentication method is set up by calling http_set_auth. The interaction between the browser and the web server is as follows: If a request is received which requires authentication (i.e. the page is specified in the authentication information passed to http_set_auth), but no authentication information is specified in the mime header, i.e. there is not a "Authorization: Basic" mime field, an Unauthorized message is sent to the browser (at which time the browser will query the user for a username and password and will retry the request). If a request arrives for a page specified in the authentication method, if the mime header in the request specified contains the "Authorization: Basic" field, the value associated with the field is checked against the 64 bit encoded string calculated from username:password specified in the authentication information passed to http_set_auth. If it is valid, the page is sent to the browser. If it is invalid, a "Forbidden" message is sent to the browser.
|
