Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion book/security.rst
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,18 @@ Great! Now, if you go to ``/admin``, you'll see the HTTP Basic popup:
.. image:: /images/book/security_http_basic_popup.png
:align: center

.. caution::

The ``http_basic`` firewall is only recommended while prototyping applications
or when the application is exclusively accessed through secure transports, such
as HTTPS. The reason is that browsers include user credentials in each request
without applying any hashing mechanism, just a plain base64 encoding.

Instead, consider using the ``http_digest`` firewall, which is almost identical
to ``http_basic`` but where user credentials are encoded and hashed before
including them in the request. Read
:ref:`HTTP-Digest Authentication reference <reference-security-http-digest>`.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure I like this recommendation. Or at least, the many drawbacks of the Digest auth method should be mentioned.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the Wikipedia, we can find this list of disadvantages of auth-digest. Is this what you were referring to?

  • Many of the security options in RFC 2617 are optional. If quality-of-protection (qop) is not specified by the server, the client will operate in a security-reduced legacy RFC 2069 mode
  • Digest access authentication is vulnerable to a man-in-the-middle (MitM) attack. For example, a MitM attacker could tell clients to use basic access authentication or legacy RFC2069 digest access authentication mode. To extend this further, digest access authentication provides no mechanism for clients to verify the server's identity
  • Some servers require passwords to be stored using reversible encryption. However, it is possible to instead store the digested value of the username, realm, and password[4]
  • It prevents the use of a strong password hash (such as bcrypt) when storing passwords (since either the password, or the digested username, realm and password must be recoverable)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@javiereguiluz What was your original motivation for creating this PR? If it's security related, I think we can keep this message shorter (I'd really like to keep it as short as possible) and just highlight that http_basic is only secure over HTTPS and that http_digest may be another option over http (though it still feels funny to me to send any auth over a non-secure connection.

But who can you login as? Where do users come from?

.. _book-security-form-login:
Expand Down Expand Up @@ -474,7 +486,7 @@ else, you'll want to encode their passwords. The best algorithm to use is
<encoder class="Symfony\Component\Security\Core\User\User"
algorithm="bcrypt"
cost="12" />

<!-- ... -->
</config>
</srv:container>
Expand Down
13 changes: 9 additions & 4 deletions reference/configuration/security.rst
Original file line number Diff line number Diff line change
Expand Up @@ -469,10 +469,15 @@ multiple firewalls, the "context" could actually be shared:
),
));

.. _reference-security-http-digest:

HTTP-Digest Authentication
--------------------------

To use HTTP-Digest authentication you need to provide a realm and a key:
To use HTTP-Digest authentication you need to provide a realm and a key, which
is the random string that will be used to hash the user's credentials. It's common
to use the ``%secret%`` parameter defined in the ``app/config/parameters.yml``
file:

.. configuration-block::

Expand All @@ -483,15 +488,15 @@ To use HTTP-Digest authentication you need to provide a realm and a key:
firewalls:
somename:
http_digest:
key: "a_random_string"
key: "%secret%"
realm: "secure-api"

.. code-block:: xml

<!-- app/config/security.xml -->
<security:config>
<firewall name="somename">
<http-digest key="a_random_string" realm="secure-api" />
<http-digest key="%secret%" realm="secure-api" />
</firewall>
</security:config>

Expand All @@ -502,7 +507,7 @@ To use HTTP-Digest authentication you need to provide a realm and a key:
'firewalls' => array(
'somename' => array(
'http_digest' => array(
'key' => 'a_random_string',
'key' => '%secret%',
'realm' => 'secure-api',
),
),
Expand Down