Corrected documentation

[CGIscriptor.git] / PrivateTutorial.html

<html>
<head>
        <title>Tutorial: How to set up login accounts</title>
</head>
<body>
<p>
<table width='100%'><tr>
        <td style='text-align: left'><a href="/index.html">Home</a></td> 
        <td style='text-align: right'><a href="/Private/index.html?LOGOUT">Logout</a></td>
</tr></table>
</p>
<h1 style="text-align: Center">Tutorial: How to set up login accounts</h1>
        <h3 style="text-align: Center">WARNING</h3>
        <p style="margin-left: 20%; margin-right: 20%; text-align: justified;font-style: italic">
        The current implementation of an authenticating and authorization procedure
        (Password Login) in <em>CGIscriptor.pl</em> is experimental and meant as an illustration
        for the use of the framework. The code has not been reviewed. <br />
        Before you use this procedure on your site, be sure you understand the limitations of the
        implemented procedures. You should evaluate first whether the procedures address your 
        security needs and second whether the code implements the procedures correctly.
        </p>


<h2 style="text-align: Center">Introduction</h2>
<p style="text-align: Left">
        In situations where pages and services must be limited to authorized 
        persons, it is possible to activate a login procedure when a certain page
        or url is requested. The authentication is done by requesting a user 
        name and a password. The server stores information about the passwords 
        and privileges of individual users.
</p>
<p style="text-align: Left">
        The method used to authorize requests is a server side session ticket.
        The client (user) browser will send an identifier token that is compared 
        with the expected identifier. Only if the token is accepted, will the 
        requested page be processed and send to the client. Identifier tokens
        can be send as cookies or as CGI variables. There is no difference
        between these two methods. If possible, use cookies as they are more
        convenient. Note that the ticket identifiers rely on the use of 
        <a href="http://www.xul.fr/en/html5/sessionstorage.php">browser 
        SessionStorage</a>. If the browsers of clients do not support 
        <a href="http://www.xul.fr/en/html5/sessionstorage.php">browser 
        SessionStorage</a>, your choices will be limited.
</p>

<h2 style="text-align: Center">How to protect services with a password login</h2>
<p style="text-align: Left">
        The variable <em>%TicketRequiredPatterns</em> contains a set of URL patterns that 
        should be protected by a password login. Each pattern points to a 
        directory where login sessions are stored (<tt>Private/.Sessions</tt>),
        account information (<tt>Private/.Passwords</tt>), the login page
        that should be shown for that URL (<tt>Private/Login.html</tt>),
        and finaly the default expire time for a session (<tt>+36000</tt>,
        i.e., 36 thousand seconds = 10 hours).
<pre>
# File patterns of files which are handled by session tickets.
%TicketRequiredPatterns = (
'^/Private(/|$)' => "Private/.Sessions\tPrivate/.Passwords\t/Private/Login.html\t+36000"
);
</pre>  
</p>

<h2 style="text-align: Center">Session types</h2>

<p style="text-align: Left">
        Security comes with costs attached. The more stringent the authentication should
        be, the more complex the authentication process will have to be. To allow a meaningful
        tradeof between security and costs, three levels of authentication are implemented.
</p>
<p style="text-align: Left">
        <ol>
                <li>IPADDRESS: Remote client IP address<br />
                        Use the (apparent) IP address of the client as an identification.
                        Simple and not secure
                </li>
                <li>SESSION: Single session token<br />
                        Create a single token that the client can use during the session.
                        But also use the IP address. Relatively straightforeward and reasonably
                        secure.
                </li>
                <li>CHALLENGE: One time session tokens<br />
                        The client has to generate a new token for every request. Each token
                        can be used only once. The new token is constructed from a random 
                        string send from the server and the stored password. This can be used
                        to prevent session hijacking by a third party who can simulate the same 
                        IP address, or if the IP address is not fixed, e.g., when using Tor.
                </li>
        </ol>
        It is adviced to use the SESSION (single session token) type unless there are 
        specific reasons to increase security, eg, for the admin acount or Tor sessions. 
</p>
        
<h2 style="text-align: Center">Password account tickets</h2>

<p style="text-align: Left">
This is an annotated example of a PASSWORD account ticket. At the right hand side is the literal text as present in the Account file.
All regex patterns are <a href="http://www.regular-expressions.info/perl.html">Perl regex patterns</a>.
</p>
<p>
<table>
<tr><td style="text-align: Right">The type of the ticket</td><td>&nbsp;</td><td><tt>Type: PASSWORD</tt></td></tr>
<tr><td style="text-align: Right">Official username, lowercase</td><td>&nbsp;</td><td><tt>Username: testchallenge</tt></td></tr>
<tr><td style="text-align: Right">Hashed and encrypted password</td><td>&nbsp;</td><td><tt>Password: 6df7d66e8832ee52a9aba5e474ce8641a9577eff140d54b297b61443bf8d9eb1</tt></td></tr>
<tr><td style="text-align: Right">Allowed IP addresses, a regex pattern</td><td>&nbsp;</td><td><tt>IPaddress: 127.0.0.1</tt></td></tr>
<tr><td style="text-align: Right">Allowed paths in the web site, a regex pattern</td><td>&nbsp;</td><td><tt>AllowedPaths: ^/Private/index\.html$</tt></td></tr>
<tr><td style="text-align: Right">idem</td><td>&nbsp;</td><td><tt>AllowedPaths: ^/Private/[^/]+\.html$</tt></td></tr>
<tr><td style="text-align: Right">idem</td><td>&nbsp;</td><td><tt>AllowedPaths: ^/Private/?$</tt></td></tr>
<tr><td style="text-align: Right">Privileges, in this case allowed to hop proxies</td><td>&nbsp;</td><td><tt>Capabilities: VariableREMOTE_ADDR</tt></td></tr>
<tr><td style="text-align: Right">The server salt used to hash the password</td><td>&nbsp;</td><td><tt>Salt: e93cf858a1d5626bf095ea5c25df990dfa969ff5a5dc908b22c9a5229b525f65</tt></td></tr>
<tr><td style="text-align: Right">Allowed session type</td><td>&nbsp;</td><td><tt>Session: CHALLENGE</tt></td></tr>
<tr><td style="text-align: Right">A signature of important aspects of this ticket</td><td>&nbsp;</td><td><tt>Signature: eca5b95e3ff4a9628be4c6f1fca29ec2f5981cbbba0b29ce5b601055926a8720</tt></td></tr>
<tr><td style="text-align: Right">Maximum lifetime of a session, 45 minutes</td><td>&nbsp;</td><td><tt>MaxLifetime: +45m</tt></td></tr>
<tr><td style="text-align: Right">Creation date and time</td><td>&nbsp;</td><td><tt>Date: Fri Jun 29 12:46:22 2012</tt></td></tr>
<tr><td style="text-align: Right">Creation time in seconds of epoch</td><td>&nbsp;</td><td><tt>Time: 1340973982</tt></td></tr>
</table>
The above account contains a contradiction. Although it has <em></em>Capabilities: VariableREMOTE_ADDR</em>, 
it is also limited to the local machine, <em>IPaddress: 127.0.0.1</em> (IPaddress is matched from the start).
The default account in this example has been locked down for distribution. Shipping a default account that
could be accessed from the outside would be a security hazard. You are adviced to change the
password before you change any of the default accounts.
</p>
<p>
An example <em>Create User Account</em> page is added. When logged in as any user, you can go to this
page and enter your own password (the one you used to log in), the user name, and password of the new 
user. Below that, the allowed pages and IP addresses can be entered as a <em>;</em> separated list of 
regular expression patterns. After sumitting the form, the text of the account file will be printed
on the page. These texts can be saved in the <em>.Passwords</em> directory.
However, if the <em>admin</em> account is activated, that user can create active new accounts directly.
With each new user, a home directory is automatically created as a copy of the
<em>Private/.SkeletonDir</em> directory.
</p>

<h2 style="text-align: Center">Account signatures and activation</h2>

<p style="text-align: Left">
        Reading the passwords or any change in the account files by other users of the servers could 
        lead to a compromize of the system. Therefore, it is possible to encrypt passwords and sign
        accounts (and session tickets). If the web server supports an environment variable with the
        name <em>CGIMasterKey</em> (<em>$ENV{CGIMasterKey}</em>), the value of that variable will be used as 
        a pass phrase. <em>$ENV{CGIMasterKey}</em> will be used to encrypt the password and create 
        a signature of the account and session tickets. Any account or session ticket with an
        invalid signature will be discarded. Both the encryption keys and the signatures will be 
        constructed from the server side salt and the user name. This means that if you change the
        server side salt or CGIMasterKey, you will have to reset all passwords and recreate all
        signatures.
</p>
<p style="text-align: Left">
        Activating an account means that the password is set and a correct signature is created.
        Setting passwords and generating signatures can be done with <em>CGIscriptor.pl</em> on the command line. 
        The following command will set a new password and signature for the testchallenge account:<br /><tt>
        perl CGIscriptor.pl --managelogin salt=Private/.Passwords/SALT 
        masterkey='Sherlock investigates oleander curry in Bath' 
        password='testing' Private/.Passwords/testchallenge
        </tt><br />
        Note that the creation time of the account (if present) will be part 
        of the signature. This will make that every new account file will have a
        unique signature. Even if all the other contents are the same. The password
        is <em>not</em> part of the signature, nor are any comments.
</p>
<p style="text-align: Left">
        There are four default accounts present: <em>testip, test, testchallenge</em>, and
        <em>admin</em>. The former three have password <em>testing</em>, the latter has password
        <em>There is no password like more password</em>. The <em>admin</em>
        account is disabled by default. You can enable it with a new password
        using the <tt>--managelogin</tt> option. All four accounts are limited to local 
        (<em>localhost</em>) requests. When present, <em>testip, test</em>, and
        <em>testchallenge</em> are reactivated with the default password <em>testing</em>
        whenever a new SALT is automatically generated. It is adviced that the <em>test</em>
        accounts are removed when setting up a site.
</p>

<h2 style="text-align: Center">Creating web pages</h2>
<p style="text-align: Left">
        <em>IPADDRESS</em> and <em>SESSION</em>type sessions do not require 
        any changes in web pages after login. <em>CHALLENGE</em> type sessions 
        require JavaScript code on every single protected page (actually, only 
        to get to the next page after that). Use of the <em>back</em> button 
        is not possible in <em>CHALLENGE</em> type sessions. To add support 
        for the login sessions to simple web pages, add the following code 
        to the HEAD section of each HTML file:
</p>
<pre>
&lt;script type="text/javascript"&gt;
&lt;SCRIPT TYPE="text/ssperl" SRC="./JavaScript/PlainPage.js"&gt;&lt;/SCRIPT&gt;
&lt;/script&gt;
</pre>
<p style="text-align: Left">
        Pages that require a user to enter username or password require special
        <em>window.onload</em> code as well as special <em>onSubmit</em> code 
        for the FORM fields, eg, <em>LoginSubmit()</em>, 
        <em>ChangePasswordSubmit ()</em>, and <em>CreateUserSubmit ()</em>.
        For the Login page, change <em>PlainPage.js</em> into <em>LoginPage.js</em>
        in the above code snippet. 
        For Change Password and Create User use, respectively, <em>ChangePasswordPage.js</em>
        and <em>CreateUserPage.js</em>. The following FORM ID and CGI parameter 
        names should be used (FORM element ID):
        <ul>
        <li>CGIUSERNAME<br />
        The account name of the current user (also if hidden)</li>
        <li>NEWUSERNAME<br />
        The new account name when creating a user</li>
        <li>PASSWORD<br />
        The password. Password visibility can be toggled with<br />
        <em>onClick="this.value=togglePasswords('Hide', 'Show', this.value);true"</em></li>
        <li>NEWPASSWORD<br />
        The new password for Change Password or Create User</li>
        <li>NEWPASSWORDREP<br />
        Repetition of the new password for Change Password or Create User.
        <em>onChange='check_password_fields()'</em> will check whether both 
        fields are identical and set the Submit button</li>
        <li>SUBMIT<br />
        ID of the Submit button, used to grey out the button until all fields 
        are entered 
        </li>
        </li>
        <li>LOGINTICKET<br />
        Sending the login ticket when entering a password. Should not be changed by the user</li>
        <li>CLIENTIPADDRESS<br />
        A text input field containing the IP address of the client as seen by the server, i.e., $REMOTE_HOST. 
        Will be used to generate the LOGINTICKET above. Can be outside of the proper FORM,
        the server will set it, but ignores it when send.
        </li>
        </ul>
        FORM ID and CGI parameter names that are optional as they are set by the server
        and also exchanged by cookies. All contain server generated hexadecimal hashes. 
        Use the FORM ID versions when you use form fields instead of cookies:
        <ul>
        <li>SERVERSALT</li>
        <li>RANDOMSALT</li>
        <li>SESSIONTICKET</li>
        <li>CHALLENGETICKET</li>
        </ul>

</p>
<p>
In some cases it might be needed to defer setting the <em>SESSION</em> 
cookie at the login submit to the landing page. To achieve this, remove 
<em>setSessionParameters();true</em> from the onSubmit function in the 
Login.html page:
<pre>
onSubmit='LoginSubmit();setSessionParameters();true'
</pre>
should become:
<pre>
onSubmit='LoginSubmit()'
</pre>

In those cases you will have to add 
JavaScript code to the first page after the login. 
</p>
</body>
</html>