5

The Internet is generally plagued by websites that break basic rules of security, then there's a middle tier where website try to secure passwords... but they do it incorrectly. And finally, there's websites that do security correctly and are generally secure, but may be vulnerable to attacks not directly on the password but the authentication process itself.

Please note, I'm asking strictly about the authentication part. User management, rights management, baning accounts, and so forth are not part of this question, but if you have a solution that comes with these things that's an amazing bonus, but not what I'm asking.

What boxed solutions exist that allow us to wrap authentication around pages/content, and are not vulnerable to things easily read up in OWASP: they hash passwords correctly, they send Diffie-Hellman cookies (or something like that) rather than the hash of the password as a cookie. They follow RSA PKCS specs.

What exists? This problem is getting solved every day again and again, and I honestly haven't heard of many efforts to offer one stand-alone auth solution for websites, just lots of guides out there telling you "use someone else's solution." Where are those solutions?

Improve this question
2
  • There are different solutions for different scenarios. What are your website requirements? Do you have any language preferences? And what are you trying to get at when you talk about cookies? I sense some confusion here about authentication, cookie exchanges for establishing shared secrets, and http cookies as session ids. Commented Feb 18, 2011 at 21:37
  • @nealmcb I won't be able to update this till Monday at the latest (headed away), but what I'm talking about is a single solution, such as an Object I can import into my code (or similar). I don't have any specific problem presently, but I'm curious to see if there is anything like this. Similar to not having to re-write something such as... "json encoding" from spec for each time I uses it, but obviously a more complex in terms of functionality. Commented Feb 18, 2011 at 21:56

2 Answers 2

Reset to default
6

One way to outsource authentication is to use OAuth, OpenID, Facebook Connect and others. That way you don't have to take care of users passwords.

To protect specific pages (which would be authorization/rights management), there are multiple solutions. Most web frameworks have some sort of authentication/authorization solutions (for example Djangos auth module).

A more "enterprisy" solution in Java/.NET is Spring Security. It has a lot of functionality, but doesn't do a lot of things out of the box without configuration. There are most likely others like Spring around.

So if you are looking for a simple way to add authentication to a website, use something like OAuth. If you are already using a web framework, it will most likely already offer that functionality. And in the enterprise world there is Spring.

Improve this answer
3

You didn't say what kind of organization you are in.

If you work in higher education or do research with higher education, you may be able to participate in the InCommon federation using Shibboleth. Shibboleth does not have as wide support in CMS's and frameworks enjoyed by OAuth or OpenID, but it's worth asking to find out if your institution is using Shibboleth.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.