Recommend to use http-digest instead of http-basic #5027
Next Next commit
Recommend to use http-digest instead of http-basic
- Loading branch information
commit f2fdfeeb971e4b1df11ba8d039d03a45476a9ab1
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| | @@ -264,6 +264,17 @@ Great! Now, if you go to ``/admin``, you'll see the HTTP Basic popup: | |
| .. image:: /images/book/security_http_basic_popup.png | ||
| :align: center | ||
| | ||
| .. caution:: | ||
| | ||
| The ``http_basic`` firewall is only recommended while prototyping applications | ||
| or when the application is exclusively accesed through secure transports, such | ||
| as https. The reason is that browsers include user credentials in each request | ||
| There was a problem hiding this comment. I would use HTTPS instead of the lowercased https. | ||
| without applying any hashing mechanism, just a plain base64 encoding. | ||
| | ||
| Instead, consider using the ``http_digest`` firewall, which is almost identical | ||
| to ``http_basic`` but where user credentials are encoded and hashed before | ||
| including them in the request. Read :ref:`HTTP-Digest Authentication reference <reference-security-http-digest>`. | ||
| There was a problem hiding this comment. Can you move the | ||
| | ||
| There was a problem hiding this comment. Not sure I like this recommendation. Or at least, the many drawbacks of the Digest auth method should be mentioned. There was a problem hiding this comment. In the Wikipedia, we can find this list of disadvantages of auth-digest. Is this what you were referring to?
There was a problem hiding this comment. @javiereguiluz What was your original motivation for creating this PR? If it's security related, I think we can keep this message shorter (I'd really like to keep it as short as possible) and just highlight that | ||
| But who can you login as? Where do users come from? | ||
| | ||
| .. _book-security-form-login: | ||
| | @@ -474,7 +485,7 @@ else, you'll want to encode their passwords. The best algorithm to use is | |
| <encoder class="Symfony\Component\Security\Core\User\User" | ||
| algorithm="bcrypt" | ||
| cost="12" /> | ||
| | ||
| <!-- ... --> | ||
| </config> | ||
| </srv:container> | ||
| | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
accessed