The proper way to implement this is to use HTTP Authentication as Wagner described. There are gobs of explanations that a web search will provide you, but basically it comes down to programming the Arduino to look for an Authorization: header (with a valid user/password encoded therein) in the request, or returning a 401 status if not.

This is an intrinsic behavior of web browsers to handle this authentication scheme. It would be very similar to implement the authentication using a cookie but that causes a little more work in having to generate a username/password input. HTTP authentication would do that for you.

Chagrin:
The proper way to implement this is to use HTTP Authentication as Wagner described. There are gobs of explanations that a web search will provide you, but basically it comes down to programming the Arduino to look for an Authorization: header (with a valid user/password encoded therein) in the request, or returning a 401 status if not.

This is an intrinsic behavior of web browsers to handle this authentication scheme. It would be very similar to implement the authentication using a cookie but that causes a little more work in having to generate a username/password input. HTTP authentication would do that for you.

anyone been able to get this working? Im allso looking for a secure solution for my arduino webserver (allso for domotica-solution). Im new with Arduino, and i dont have much experience with php or html. I can write a simple button-page, but thats it

arian:
Here is the example

it don not work, i download and what im supppose to do with that?

it don not work, i download and what im supppose to do with that?

You downloaded the example, and you don't know what to do with it, but you know it doesn't work. I don't think so.

Just an addition to the suggestions already posted; I have also written a web server with the W5100 and use the authorization supplied in the GET request by the client. My webserver is controlled by a PHP script using CURL which puts the authorization into the request:

GET /secret.ard HTTP/1.1
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtQW==

I use a Base64 library to unencode the credentials. (search for adamvr-arduino-base64-4be16cd.zip)

In my program I look for the Authorization

if (requestLine.startsWith("Authorization: Basic ")){
  strcpy(username, getUsername(requestLine));
}

:

// Returns  username:password
char* getUsername(String authorizationLine){
  String encryptedDetails = authorizationLine.replace("Authorization: Basic ","");
  char encrypted[300];
  char decrypted[300];
    
  encryptedDetails.toCharArray(encrypted, 300);
    
  int length = base64_decode(decrypted, encrypted, 300);
  
  return decrypted;
}

I'll be using this for controlling my heating externally. It's definitely worth putting some extra security in, but not too much

Hope this helps!

Hi!
I'm new to Arduino, I'm from Cuba so my English is very bad.
I'm working in the same problem about Basic Authentication with Arduino web server. I don't think you need the Base64 library for Arduino because you only need to compare the generated code, you don't need to know the user and password just the code in order to allow access.
You can generate this code for a user/password pair with any other available tool.

This is an easy soluction, the main problem of that way is that you cannot change the user and password at least re-program the arduino.

I'm working in a solution that have admin/admin as the default, and using a web form to change the user and password whenever I want. In this case is needed the Base64 library for Arduino to generate the new code.

Other Idea is supply a hardware switch to reset to the default configuration. In this case the default configuration ask for the Basic Authentication but will accept any code for the first time and will use that code as the valid code for the next time. You will need to save this new code to the EEPROM.

Hope this helps!

I was Wagner, if you were able to get anywhere with this and make your example work. I am too looking for a way to secure an Arduino webpage.

Thanks,

Dan

Did get the Basic authentication to work using the TinyWebServer example FileUpload.
It did take me some time trying and debugging.
So you might want to give it a try:

const char* headers[] = {
"Content-Length",
"Authorization", // add to be able to query it
NULL
};

// add var's to keep the results
boolean authenticated = false;
String user;

// add this function which send a 401 signal to the client to force a logon
boolean authenticate(TinyWebServer& web_server)
{
const char* authorization = web_server.get_header_value("Authorization");

#if DEBUG
Serial.print ("DEBUG Authorization="); Serial.println(authorization);
#endif

char basic[7] = "Basic ";
if(0 == strncmp(authorization,basic,6))
{
if (0 == strcmp("dXNlcjp1c2Vy", authorization + 6)) { // base64 string for user:user
user = "user"; authenticated = true; return true; }
if (0 == strcmp("YWRtaW46YWRtaW4=", authorization + 6)) { // base64 string for admin:admin
user = "admin"; authenticated = true; return true; }
}
// web_server.send_authenticate();
web_server.write("HTTP/1.1 401 Authorization Required\r\n");
web_server.write("WWW-Authenticate: Basic realm="LloRealm"\r\n");
web_server.end_headers();
web_server.write("<!doctype html>Error");
web_server.write("

401 Unauthorized.

boolean file_handler(TinyWebServer& web_server) {
char* filename = TinyWebServer::get_file_from_path(web_server.get_path());

if (!authenticate(web_server)) return false; // when you add this the website will require a valid logon

send_file_name(web_server, filename);
free(filename);
return true;
}

I saw your post from July 29, 2013 about your success with getting some authentication to work on TinyWebServer file upload example. I have no background in programming so I wonder if you could email or post the whole working sketch so I can see where in the example you inserted the authentication code.
I am trying to get this to work in the BlinkLed sketch.
Thanks....arniep

I use standard session cookies for my Arduino web server application at http://www.2wg.co.nz - after I login to the application via a password data entry form I get a ten minute session cookie - after that I have to re-enter the password if I need to do more work.

Much of my application browsing functionality is available to the public. When I access my system on my local LAN I automatically get a second (comprehensive) level of functionality based on my PC's local IP address. Only when I need to do important things do I have to login and get a ten minute session cookie (on the LAN and anywhere on the internet).

Information about how I implemented session cookies is available in this directory of my Arduino website - http://www.2wg.co.nz/PUBLIC.DIR/. The file http://www.2wg.co.nz/PUBLIC/COOKIES.TXT/ has a detailed description with source code of my session cookie implementation. It refers to four minute cookies - now they last for ten minutes.

Note that I use html form (POST) processing - my application does not process parameters that are appended to html GET requests. This is in contrast to many of the available Arduino webserver example programs you will find. You can research the important differences between GET and POST html requests if you are interested.

It is the case that my security implementation does transmit passwords and cookies between browsers and my Arduino web server in plain text. Anyone who can intercept my data communications could steal the password and log into my Arduino application. However at this stage I regard the risks as very low.

Someone also mentioned using a different port. I also run my Arduino application at another IP address and on another port. The application at http://www.2wg.co.nz is continuously bothered by web crawlers from Microsoft, Google, Baidu and others. So far none of them have found my other application implementation because it is not running on port 80 and I will never publish its address on a website for a crawler to find. If they did find it I would just move it away to another port.

Note that my application has controls to prevent brute force password hacks. After someone tries three times to guess the password unsuccessfully my application simply refuses to talk to their IP address. My system sends push emails to my iPhone whenever anyone enters an incorrect password - so I get immediate alerts of attempted intrusions.

My system also records full html request details for every system access including the users IP address. It is retained permanently and I already have a years worth of it - you can browse the log files (but not open them) on my application's web site via the HTMLREQU directory/folder.

Anyone who takes the time to read http://www.2wg.co.nz/PUBLIC/COOKIES.TXT/ is welcome to ask specific additional questions and request up to date code samples and other assistance.

Cheers

Catweazle NZ

CatweazleNZ:
I use standard session cookies for my Arduino web server application at http://www.2wg.co.nz - after I login to the application via a password data entry form I get a ten minute session cookie - after that I have to re-enter the password if I need to do more work.

............
............

Cheers

Catweazle NZ

I visited your server, it's really great! I also tried the Login page, you should receive a new Push notification hahaha. Quick question : wich sensors, arduino board etc did you use for that?
Cheers !

Devices such as these:

This URL:

http://www.2wg.co.nz/IMAGES/DEVICES.JPG/

From top left going clockwise - a PIR sensor, a DHT11 temperature and humidity sensor (also the DHT22 model), a lever operated microswitch (use to detect if the garage door is open or closed) and a relay (drive the garage open function).

I have my system and the broadband ADSL modem router connected to a UPS so my system runs and is accessible even when the power is off.

I am using an Ethermega board - 256K Flash (the application is 140K), 8KB RAM, 4KB EEPROM, integrated Ethernet, etc.

Currently I have more software functionality that actual installed devices. I need to get into my ceiling and run some more wires to get the actual functionality of the application fully operational.

Cheers

Catweazle NZ

Just a thought for everyone that is still trying or needs additional (easier) password protected logins... You should consider using algorithms and random number generators. For example in your code, you can use something simple such as...

Random number_A
Random number_B
Random number_C

So the arduino will generate 3 numbers

These 3 numbers will be printed on your arduino web server followed by a text box...
So if A=15, B= 34, C=186

Your Server will print
15 ["text box"]
34 ["text box"]
186 ["text box"]

You can create an Algorithm such as (A * 2) +2 (A+3), The Answer will be in this case--> 66 (...Algebra)
B's Answer can be A+B+C --> 15+34+186 = 235
C's Answer can be (A+1)+(B+2)+(C+5) = 243

Once you have the "Text Box" all filled, you can have a submit button, and then the arduino will run all the checks ( ... you will have to write the parsing and algorithms code) Once everything is good, then you can display the rest of the html code. Once again, this may be long and tedious but it sure is a great exercise to help with some programming skills. It will also give you a 1 in (256x256x256)-->minimum chance of someone getting into your server and will be a dynamic system that changes with every login based on the random numbers generated.

Good enough to keep your circuits safe, especially those dealing with home automation.

Happy Coding !!!

Since my original post of a year ago I have also added password randomisation to my application. Anyone who discovers a password to log into my application (e.g. a man in the middle hacker) will find out that the password is not valid at any future time.

So while my application does transmit passwords in plain text their life is very very limited. While I have published the source code for my application on its website the password generation algorithm is not available.

Having had my website up for two years my experience is that I get about one password hack attempt every two weeks and typically for simple passwords such as 123456 and "password".

Cheers

Catweazle NZ

CatweazleNZ:
Since my original post of a year ago I have also added password randomisation to my application. Anyone who discovers a password to log into my application (e.g. a man in the middle hacker) will find out that the password is not valid at any future time.

So while my application does transmit passwords in plain text their life is very very limited. While I have published the source code for my application on its website the password generation algorithm is not available.

Having had my website up for two years my experience is that I get about one password hack attempt every two weeks and typically for simple passwords such as 123456 and "password".

Cheers

Catweazle NZ

WOW, i am in the process of learning arduino, and have thrown myself out in making a project where a mega controls my wood pellet furnis, eth and lcd of course, so i am almost doomed to create a profile here anyways, but what made me do it just now, was seeing your arduino server, and i wanted to sat it seems VERY impressive

Cheers

Aandersen:
WOW, i am in the process of learning arduino, and have thrown myself out in making a project where a mega controls my wood pellet furnis, eth and lcd of course, so i am almost doomed to create a profile here anyways, but what made me do it just now, was seeing your arduino server, and i wanted to sat it seems VERY impressive

Cheers

Thanks for the compliment.

Every successfull big computer system was previously a successfull small computer system that was added to one step at a time. With carefull incremental development anyone can build big systems, all be it you may need a lot of time.

Brick walls are built one brick at a time.

Things will be slow when you are working in a new area. But walking slowly before trying to run is always recommended.

Use the Arduino forum to get past road blocks.

Cheers

Catweazle NZ

I read all suggestions with alot of interest but found it a bit complicated if someone is looking for an easy way to avoid things from happening until a certain condition is true.

I need to protect a heating system which i check and control over my smartphone.
I don't really care if someone can see the webinterface of my project but i don't want Arduino to get commands if a certain condition is true.

I thought i could put 4 buttons on the webpage.
Let's say that :

if button1 is pressed then a+=1
if button2 is pressed then b+=1
if button3 is pressed then c+=1
if button4 is pressed then a,b,c = 0

In my code i could build a function that checks if the following condition is met and returns true if

a=2 b=1 c=2

i could put a statement before every important feature i want to check and recal the function that will allow or not the execution

What do you think about that?

zoomkat:
Running your arduino on a non standard port behind a router and not releasing public links to the arduino URL may be all you need.

I have done exactly this but found it was being accessed every once in a while and I don't know how to be able to log who accesses it?

I hope someone gets to see this since it's been a few years since the last post.

"found it was being accessed every once in a while"

Probably a google spider searching for content!

Mazeratti:
I have done exactly this but found it was being accessed every once in a while and I don't know how to be able to log who accesses it?

I hope someone gets to see this since it's been a few years since the last post.

Hi

If you are running a webserver you must be receiving html requests. Dump the request content to a log file if you have an SD card and review them from time to time.

Data coming with a port connection may be binary and from a port scanner - and not an easily readable html request from a web browser.

If you are using a w5100 connection (not WIFI) you should be able to determine the IP address of each html request/port connection. Add that to your log file and then trace the addresses later to see who it is.

As well as web crawlers and spiders that typically trawl port 80 web sites there are port scanners that check ranges of ports looking for known web applications with vulnerabilities. For non standard port websites try to avoid the common ports used by other internet based applications (e.g. SQL Server) to avoid port scanners looking for these applications and attempting to hack their vulnerabilities.

Cheers

Catweazle NZ