I've set up lighttpd on my embedded device and configured the modules in the lighttpd.conf
When accessing the web pages from Chrome or Firefox from the PC I get asked for the username and password and after I supplied them the page loads.
When I do the same on the iPad or iPhone Browser I also get the authentication dialog but for some reason it pops up repeatedly.
Using the mod_accesslog module i was able to see, that the iPad still makes requests without using the authentication which results in HTTP 401 for some request:
192.168.2.33 192.168.2.247 wwwX [10/Apr/2011:16:01:30 +0200] "GET /[...] HTTP/1.1" 304 0 "http://192.168.2.247/" ...
192.168.2.33 192.168.2.247 wwwX [10/Apr/2011:16:01:30 +0200] "GET /[...] HTTP/1.1" 304 0 "http://192.168.2.247/" ...
192.168.2.33 192.168.2.247 - [10/Apr/2011:16:01:33 +0200] "GET /[...] HTTP/1.1" 401 351 "http://192.168.2.247/" ...
192.168.2.33 192.168.2.247 - [10/Apr/2011:16:01:56 +0200] "GET / HTTP/1.1" 401 351 "-" ...
I also tried to add the mod_access module but that did not change anything.
Does the problem lie in the browser or the lighttpd webserver or its modules/configuration? How can it be fixed?
The relevant parts of my lighttpd.conf file look like this:
# mod_auth must be loaded before mod_fastcgi
server.modules = (
"mod_auth",
"mod_cgi",
"mod_fastcgi"
)
The section with the mod_auth configuration looks like this:
auth.debug = 0
auth.backend = "plain"
auth.backend.plain.userfile = "/tmp/lighttpd-plain.user"
auth.require = (
"/" =>
(
"method" => "digest",
"realm" => "myRealm",
"require" => "valid-user"
)
)
edit:
One thing that I forgot to mention was that the Web page makes AJAX requests using jQuery. The requests don't set the username and password variables. On all browsers this works without problems after the user has authenticated himself via the browsers popup dialog.
I think the AJAX requests on Safari might be the ones that don't use any credentials and thus get the 401 etc. Is there a way to make it use the the credentials the user provided in the dialog box?
That's because you're using digest authentication which is not supported / buggy on some browsers. You should either use basic method (which is not secure) or implement your own authentication using cookies. If you're interested in a secure and efficient authentication solution (build-in protection againts brute-force attacks and account sharing) please check our site: finesec.com