Santronics Software, Inc.,
Web Authentication Configuration

The Wildcat! Web Server (wcWEB) offer various authentication methods.  They can be defined in the Wildcat! Configuration (WCCONFIG) | Web Server setup as shown by the following illustration:

Please note the following:

Although the Wildcat! Web Server now offers flexible login authentication options,  you must properly program your HTML templates in order to properly support them, in addition, much of it is based on user’s supporting cookies and javascripting.  Wildcat! WebMasters should see the new login.wct template provided with the base installations to illustrate how it all works.

Wildcat! Web Server (wcWEB) now offers various login authentication methods.  Traditionally, two methods was available to login into the web server:

In the first case, the user started the browser and logged into the web server by using BASIC authentication which is the HTTP standard using a plain text MD5 hashing.  The web browser pops up a dialog box asking for the user’s name and password.  The most prominent issue with BASIC authentication is that the user must close the browser in order to completely log off from the web server.  The web server may time out the user, but unless the user closes the browser, he will never be completely 100% logged off.

In the second case, the user starts Wildcat! Navigator and logs into Wildcat via dialup or telnet.  If the user starts the Browser client, then WcNavigator will send the session challenge string to the browser via a special URL and relogin the user via the browser. 

With wcNavigator, wcWEB offered cookie support when the user had cookies enabled on this browser.  If cookies was disabled in the user’s browser, then BASIC authentication was used to open the browser client via wcNavigator.

Starting with AUP build 451.4, the web server offers new additional methods to provide better login security using Digest and cookie-based authentication support with or without SSL support:

Require SSL for Authentication (only if SSL is installed)

When this option is enabled, the user can only login by using secured SSL channel (HTTPS). You must have SSL properly setup on your system using the SSL CONFIG setup utility.

Important Note:  If SSL is setup to “[X] Require SSL for all connections” via the SSL Configuration utility, then all authentication methods required the user to use a SSL secured connection.

Allow Basic Authentication

Basic Authentication is when the user’s browser pops up a dialog box asking the user for the user name and password.  This is triggered using the URLs:

mode=html means the user wants to login via the browser and also use the browser to start the HTML/WCX version of the following WCN clients:

mode=client means the user wants to login via the browser, however, he wants to use HTML pages as a menu to activate or start the wcNavigator GUI version of the WCN clients.

See wcTemplates.chm help to better understand the WCN clients.

Basic Authentication is the standard method used on the Internet.   However, it is considered highly insecured if you don’t have SSL enabled.

Allow Basic Authentication with SSL only

If this option is enabled, then BASIC authentication can only be used if the connection is secured with SSL. 

Important note:  if SSL is “[X] required for all connections” as set in SSL configuration, then all authentication methods require a secured SSL connection regardless of this particular setting.

Allow Digest Authentication

Digest uses SHA1 hashing method to login the user.  It is considered more secured method than Basic authentication.  However, although more secured than Basic authentication, it still requires the user’s browser to popup a dialog box to log in, thus it requires the user to close the browser to completely log off.

If you are going to Allow Basic Authentication, you should also allow Digest.  The web server will prepare both and depending on the user’s browser, the browser will choose the more secured method.   Older browsers do not support Digest and will use BASIC only.

Allow Wildcat! Challenge Support

The wcNavigator uses this method to open the browser after the user logs in via wcNavigator first.   WcNavigator will issue a special URL:

The challenge string is used by the web server to find the current user session and use this context for the web server context.

Allow Cookie Support

If enabled, the web server will enable cookie-based authentication using a MD5 hashing method.  The user’s browser must have cookies enabled.  This is consideredd more secured than BASIC and less secured than DIGEST, however, the major benefit is that you can now offer a “log off” button to completely log off from the web server.

Enable PCI Session Compliance

If enabled, the web server will operation under PCI compliance. See PCI support.