httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <>
Subject Re: Authorization checking
Date Wed, 10 Apr 1996 16:28:32 GMT

> So what's proposed is that CGI-BIN scripts should have access to
> the incoming passwords by receiving them in HTTP_THE_PASSWORD_FOR_TODAY_IS
> environment variables?  If this were done, (it's a one line hack,
> if not a -1line hack since you need to remove an 'if' statement)
> then there should be some way to prevent passwords being passed to
> *all* the CGI/SSI environment regardless.
> If people *want* to play with the passwords then lettem, but only
> with the webadmin's consent, and keep the default behaviour as it
> is now.

Oeps, shame on me !

The latter is very sensible and I was still thinking along the lines
of dbm, htpasswd, msql and friends; where the password gets passed 
around between the database and apache in a crypt()-ed format which 
is essentially quite easy to eavesdrop on.

I had forgotten that that in http the password goes over the wire in 
plain text; and ends up in the env-var. Which indeed is a very bad idea.

I'll crawl back into the woordwork then :-)


View raw message