httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: Authorization checking
Date Wed, 10 Apr 1996 15:52:38 GMT
  This would allow client scripts, by using an modifed status reply
  to 'fake' or do their own authorization control.

This idea was extensively discussed on (I think) www-talk recently.
Many people do *not* regard it as a good idea, for several reasons;
among these are the potential for having scripts grab auth data
for realms on the same server to which the script owner would not
otherwise have access.  Also, more seriously, on most Unix systems,
ps has options to read out the entire environment of a running
process, which would allow third parties to grab the auth data for
any script which was implementing auth in this fashion.

For these reasons (especially because of the environment problem),
I would prefer not to implement the thing at all, and if it is 
implemented, it should *certainly* be an option which defaults *off*.

rst

Mime
View raw message