Authentication

chika_nidza · Post by **chika_nidza** » Tue Feb 10, 2009 6:12 pm

Hi everyone!

I'm trying to access the ZM server from another web server. The ZM server is in authenticated mode. When I try to access the stream, I generate the auth key and I use it in the stream URL:

Code: Select all

http://localhost/cgi-bin/nph-zms?mode=mpeg&monitor=4&scale=100&bitrate=25000&maxfps=5&format=swf&auth=63a6d3b80abd79f1979542843e7ad0e3

This works.

On the other hand, if I try to access the event table using the same auth key, it doesn't work:

Code: Select all

http://localhost/zm/index.php?filter[terms][0][val]=2&filter[terms][0][attr]=MonitorId&auth=63a6d3b80abd79f1979542843e7ad0e3&filter[terms][0][op]==&page=1&view=events

Why doesn't the authentication work in the second case? The only difference I can see is that the first URL is calling the CGI script, and the second is calling directly the index.php.

I'd really appreciate your help....

chika_nidza · Post by **chika_nidza** » Wed Feb 11, 2009 7:46 am

Nobody has an idea??

Post by **cordel** » Thu Feb 12, 2009 7:20 am

I don't think it really intened to work that way. You can pass user and password in the url though.

&action=login&user=joe&password=guessme

chika_nidza · Post by **chika_nidza** » Thu Feb 12, 2009 10:01 am

Cordel, thanks for the reply. I will try the solution you provided as soon as I get home, but if I access the ZM server that way, I'm sending the user and the password non encrypted, which would be a threat to security.

There must be a way to access the server in a more secure manner - maybe &action=login&auth=63a6d3b80abd79f1979542843e7ad0e3 .... ? I'll try that too, and will post the results...

chika_nidza · Post by **chika_nidza** » Thu Feb 19, 2009 9:37 am

Ok, the method you provided works - just a little detail: the second parameter sould be username instead of user... And it's not possible to use directly auth without code adaptations.

Thanks again!

Post by **zoneminder** » Thu Feb 19, 2009 10:11 am

Using auth instead of user/pass has some merit. The only issue with using it as you propose is that as it stands you actually have to do the action of logging in first. Then cookies take care of your session. I will look at seeing how fiddly it is to treat an auth parameter as implying logging in if not already given.

Post by **zoneminder** » Thu Feb 19, 2009 2:09 pm

Having thought further on this I have decided it would be useful so have added it as a feature to 1.24.0. You will still need to explictly allow this kind of login via Options->System->ZM_AUTH_HASH_LOGINS or it won't work.