Go Down

Topic: Password protect for arduino webserver? (Read 38682 times) previous topic - next topic

arian


I would like to control some home equipment connected to my
arduino on or off. High security wont be necessary.

I still have no idea how to implement the basic authenticiation in a sketch.


Did you check my example?

zoomkat

Quote
I would like to control some home equipment connected to my
arduino on or off. High security wont be necessary.


Running your arduino on a non standard port behind a router and not releasing public links to the arduino URL may be all you need.
Google forum search: Use Google Advanced Search and use Http://forum.arduino.cc/index in the "site or domain:" box.

tubos

@arian , yes i looked at your example but I noticed it was for the ECN28J60 Ethernet chip.
I have the arduino ethernet board with the W5100 chip.

@zoomkat yes , I m already doing that port 'trick' but I was looking for some extra security
which I could use for other projects as well.

arian


@arian , yes i looked at your example but I noticed it was for the ECN28J60 Ethernet chip.
I have the arduino ethernet board with the W5100 chip.


That's correct it's for enc28j60, but the parsing functions that you are looking for worked on application layer - which is chip independent.

Rainier9

Im also in need of this. Looking for the simplest way of doing this aswell. For what is worth I'll try using the TextFinder Library and the HTML password field. I'll see how it goes...

I'll be checking the forum aswell xD
Keep it simple.

Chagrin

The proper way to implement this is to use HTTP Authentication as Wagner described. There are gobs of explanations that a web search will provide you, but basically it comes down to programming the Arduino to look for an Authorization: header (with a valid user/password encoded therein) in the request, or returning  a 401 status if not.

This is an intrinsic behavior of web browsers to handle this authentication scheme. It would be very similar to implement the authentication using a cookie but that causes a little more work in having to generate a username/password input. HTTP authentication would do that for you.


bennie


The proper way to implement this is to use HTTP Authentication as Wagner described. There are gobs of explanations that a web search will provide you, but basically it comes down to programming the Arduino to look for an Authorization: header (with a valid user/password encoded therein) in the request, or returning  a 401 status if not.

This is an intrinsic behavior of web browsers to handle this authentication scheme. It would be very similar to implement the authentication using a cookie but that causes a little more work in having to generate a username/password input. HTTP authentication would do that for you.





anyone been able to get this working? Im allso looking for a secure solution for my arduino webserver (allso for domotica-solution). Im new with Arduino, and i dont have much experience with php or html. I can write a simple button-page, but thats it :smiley-roll-sweat:

Guillaume85


Here is the example
it don not work, i download and what im supppose to do with that?

PaulS

Quote
it don not work, i download and what im supppose to do with that?

You downloaded the example, and you don't know what to do with it, but you know it doesn't work. I don't think so.

supercrab

#24
Oct 03, 2011, 10:23 pm Last Edit: Oct 03, 2011, 10:26 pm by supercrab Reason: 1
Just an addition to the suggestions already posted; I have also written a web server with the W5100 and use the authorization supplied in the GET request by the client.  My webserver is controlled by a PHP script using CURL which puts the authorization into the request:

Code: [Select]
GET /secret.ard HTTP/1.1
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtQW==


I use a Base64 library to unencode the credentials.  (search for adamvr-arduino-base64-4be16cd.zip)

In my program I look for the Authorization

Code: [Select]

if (requestLine.startsWith("Authorization: Basic ")){
  strcpy(username, getUsername(requestLine));
}

:

// Returns  username:password
char* getUsername(String authorizationLine){
  String encryptedDetails = authorizationLine.replace("Authorization: Basic ","");
  char encrypted[300];
  char decrypted[300];
   
  encryptedDetails.toCharArray(encrypted, 300);
   
  int length = base64_decode(decrypted, encrypted, 300);
 
  return decrypted;
}


I'll be using this for controlling my heating externally.  It's definitely worth putting some extra security in, but not too much :)

Hope this helps!

My Arduino 7 segment LCD/LED library

http://code.google.com/p/arduino-seven-segment/

deulis

Hi!
I'm new to Arduino, I'm from Cuba so my English is very bad.
I'm working in the same problem about Basic Authentication with Arduino web server. I don't think you need the Base64 library for Arduino because you only need to compare the generated code, you don't need to know the user and password just the code in order to allow access.
You can generate this code for a  user/password pair with any other available tool.

This is an easy soluction, the main problem of that way is that you cannot change the user and password at least re-program the arduino.

I'm working in a solution that have admin/admin as the default, and using a web form to change the user and password whenever I want. In this case is needed the Base64 library for Arduino to generate the new code.

Other Idea is supply a hardware switch to reset to the default configuration. In this case the default configuration ask for the Basic Authentication but will accept any code for the first time and will use that code as the valid code for the next time. You will need to save this new code to the EEPROM.

Hope this helps!

dannyn382

I was Wagner, if you were able to get anywhere with this and make your example work. I am too looking for a way to secure an Arduino webpage.

Thanks,

Dan

LucLoo

Did get the Basic authentication to work using the TinyWebServer example FileUpload.
It did take me some time trying and debugging.
So you might want to give it a try:

const char* headers[] = {
  "Content-Length",
  "Authorization",     // add to be able to query it
  NULL
};

// add var's to keep the results
boolean authenticated = false;
String user;

// add this function which send a 401 signal to the client to force a logon
boolean authenticate(TinyWebServer& web_server)
{
  const char* authorization = web_server.get_header_value("Authorization");

  #if DEBUG
    Serial.print ("DEBUG Authorization="); Serial.println(authorization);
  #endif

  char basic[7] = "Basic ";
  if(0 == strncmp(authorization,basic,6))
  {
    if (0 == strcmp("dXNlcjp1c2Vy", authorization + 6))   {      // base64 string for user:user
      user = "user";  authenticated = true; return true;  }
    if (0 == strcmp("YWRtaW46YWRtaW4=", authorization + 6)) {     // base64 string for admin:admin
      user = "admin";  authenticated = true; return true;   }
  }
  // web_server.send_authenticate();
  web_server.write("HTTP/1.1 401 Authorization Required\r\n");
  web_server.write("WWW-Authenticate: Basic realm=\"LloRealm\"\r\n");
  web_server.end_headers();
  web_server.write("<!doctype html><html lang='nl'><head><title>Error</title><meta charset='utf-8'/></head>");
  web_server.write("<body><h1>401 Unauthorized.</h1></body></html>");
  return false;
}

boolean file_handler(TinyWebServer& web_server) {
  char* filename = TinyWebServer::get_file_from_path(web_server.get_path());

  if (!authenticate(web_server)) return false;     // when you add this the website will require a valid logon

  send_file_name(web_server, filename);
  free(filename);
  return true;
}



arniep

I saw your post from July 29, 2013 about your success with getting some authentication to work on TinyWebServer file upload example. I have no background in programming so I wonder if you could email or post the whole working sketch so I can see where in the example you inserted the authentication code.
I am trying to get this to work in the BlinkLed sketch.
Thanks....arniep

CatweazleNZ

I use standard session cookies for my Arduino web server application at http://www.2wg.co.nz - after I login to the application via a password data entry form I get a ten minute session cookie - after that I have to re-enter the password if I need to do more work.

Much of my application browsing functionality is available to the public. When I access my system on my local LAN I automatically get a second (comprehensive) level of functionality based on my PC's local IP address. Only when I need to do important things do I have to login and get a ten minute session cookie (on the LAN and anywhere on the internet).

Information about how I implemented session cookies is available in this directory of my Arduino website - http://www.2wg.co.nz/PUBLIC.DIR/. The file http://www.2wg.co.nz/PUBLIC/COOKIES.TXT/ has a detailed description with source code of my session cookie implementation. It refers to four minute cookies - now they last for ten minutes.

Note that I use html form (POST) processing - my application does not process parameters that are appended to html GET requests. This is in contrast to many of the available Arduino webserver example programs you will find. You can research the important differences  between GET and POST html requests if you are interested.

It is the case that my security implementation does transmit passwords and cookies between browsers and my Arduino web server in plain text. Anyone who can intercept my data communications could steal the password and log into my Arduino application. However at this stage I regard the risks as very low.

Someone also mentioned using a different port. I also run my Arduino application at another IP address and on another port. The application at http://www.2wg.co.nz is continuously bothered by web crawlers from Microsoft, Google, Baidu and others. So far none of them have found my other application implementation because it is not running on port 80 and I will never publish its address on a website for a crawler to find. If they did find it I would just move it away to another port.

Note that my application has controls to prevent brute force password hacks. After someone tries three times to guess the password unsuccessfully my application simply refuses to talk to their IP address. My system sends push emails to my iPhone whenever anyone enters an incorrect password - so I get immediate alerts of attempted intrusions.

My system also records full html request details for every system access including the users IP address. It is retained permanently and I already have a years worth of it - you can browse the log files (but not open them) on my application's web site via the HTMLREQU directory/folder.

Anyone who takes the time to read http://www.2wg.co.nz/PUBLIC/COOKIES.TXT/ is welcome to ask specific additional questions and request up to date code samples and other assistance.

Cheers

Catweazle NZ

Go Up