|
From: | Giuseppe Modugno |
Subject: | Re: [lwip-users] httpd and authentication |
Date: | Mon, 13 Nov 2017 08:55:00 +0100 |
User-agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 |
Il 11/11/2017 09:07, goldsimon ha scritto:
I know lwip is an open-source community project, but it's very strange a minimal HTTP authorization support isn't implemented (yet). Today it's very difficult to think of an embedded HTTP server that isn't protected at all from unathorized access.Giuseppe Modugno wrote:I'd like to protect some or all web pages and show them only to authorized people. I understood there are two methods: basic and digest.I guess both are outdated. Modern web pages use a custom input field which is sent to the server via POST. You'll need TLS obviously if you want the data to be protected. The server then opens a session by sending the client a session cookie which is then included in all further requests from the client. Sadly, this is not implemented in lwip httpsd yet. The server code supports POST but not sending/parsing cookies (although that part should be easy to add). An overall example and session handling is missing though.
I suppose all the people using HTTP server in lwip apps folder add their own authorization mechanism and it is a pity noone commit this to the original HTTP server.
I don't think to have the capability to add auth mechanism... however I'll try and I'll share my results.
[Prev in Thread] | Current Thread | [Next in Thread] |