Re: Capturing Windows Login Name
- From: Manuel Lemos <mlemos@xxxxxxx>
- Date: Sun, 03 Feb 2008 16:16:05 -0200
Hello,
on 02/03/2008 12:33 PM Jerry Stuckle said the following:
And which browsers are these? I want to ensure they are never installedI know it is not possible to get Windows login name using PHP becauseThis is not accurate, the Windows logon name is passed to servers by
it is a server-side script, but I dunno whether anyone has tried using
several browsers (not just IE) when servers ask for Windows NTLM
authentication.
You just need to configure your Web server to require Windows
authentication, and you get the current logged user logon name using
GetEnv('LOGON_USER'); .
Forget Javascript, it would never work.
on my system. Such operation would be a tremendous breach of security.
Internet Explorer and Firefox support NTLM. Maybe other browser
NTLM is an authentication protocol. The client (the browser) does not
send passwords to the server. There is nothing insecure about this. The
browsers just send the hashed passwords to the server. The server just
compares hashes and tells if what the browser sent was correct.
Wrong. Access to my computer consists of logon id plus password. It is
none of your business what my logon id is. And it is a security exposure.
You are missing the point. I am not arguing with you. I am telling you
how it works. NTLM is an authentication protocol that is used in
Intranets, not in the general Internet.
If you access an Intranet Web server that requires that you have
authorization in the Windows network, you have to authenticate. If your
browser supports NTLM, it will use it, otherwise it usally falls back to
Basic authentication which is not very secure because passwords are sent
unencrypted.
NTLM is a more secure authentication protocol than Basic because
passwords are never sent to the server and it saves the users from the
annoyance of typing their user names and passwords again.
I am well aware of how it works because I implemented the SASL PHP
library, that among other protocols supports NTLM.
http://www.phpclasses.org/sasl
It is used by HTTP, POP3, SMTP client classes to access servers of these
protocols under Intranets that require NTLM authentication:
http://www.phpclasses.org/httpclient
http://www.phpclasses.org/pop3class
http://www.phpclasses.org/smtpclass
If the authentication succeeds, the server allows the access of whatever
page (including PHP scripts).
This is a multi-step protocol. The user name is only passed to the
server in the last step, if the previous steps succeed.
The idea is to not make the user enter the same password again to access
a site under the same Windows controller domain, after he has logon on
his Windows machine account that belongs to the same Windows domain.
But it cannot be done by any website to any computer with no control by
the user.
I never said it could.
--
Regards,
Manuel Lemos
PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
.
- Follow-Ups:
- Re: Capturing Windows Login Name
- From: Jerry Stuckle
- Re: Capturing Windows Login Name
- References:
- Capturing Windows Login Name
- From: K. A.
- Re: Capturing Windows Login Name
- From: Manuel Lemos
- Re: Capturing Windows Login Name
- From: Jerry Stuckle
- Re: Capturing Windows Login Name
- From: Manuel Lemos
- Re: Capturing Windows Login Name
- From: Jerry Stuckle
- Capturing Windows Login Name
- Prev by Date: Re: PHP trouble
- Next by Date: Re: Capturing Windows Login Name
- Previous by thread: Re: Capturing Windows Login Name
- Next by thread: Re: Capturing Windows Login Name
- Index(es):
Relevant Pages
|
