Received: by taz.hyperreal.com (8.6.12/8.6.5) id JAA18884; Wed, 10 Apr 1996 09:29:23 -0700 Received: from dicsmss1.jrc.it by taz.hyperreal.com (8.6.12/8.6.5) with SMTP id JAA18877; Wed, 10 Apr 1996 09:29:19 -0700 Received: from jrc.it (elect6.jrc.it) by dicsmss1.jrc.it (4.1/EB-950131-C) id AA15834; Wed, 10 Apr 96 18:32:56 +0200 Received: by jrc.it (5.x/EB-950213-L) id AA26822; Wed, 10 Apr 1996 18:28:32 +0200 Date: Wed, 10 Apr 1996 18:28:32 +0200 From: "Dirk.vanGulik" Message-Id: <9604101628.AA26822@ jrc.it> To: new-httpd@hyperreal.com Subject: Re: Authorization checking X-Sun-Charset: US-ASCII Sender: owner-new-httpd@apache.org Precedence: bulk Reply-To: new-httpd@hyperreal.com Status: O X-Status: > So what's proposed is that CGI-BIN scripts should have access to > the incoming passwords by receiving them in HTTP_THE_PASSWORD_FOR_TODAY_IS > environment variables? If this were done, (it's a one line hack, > if not a -1line hack since you need to remove an 'if' statement) > then there should be some way to prevent passwords being passed to > *all* the CGI/SSI environment regardless. .... > If people *want* to play with the passwords then lettem, but only > with the webadmin's consent, and keep the default behaviour as it > is now. Oeps, shame on me ! The latter is very sensible and I was still thinking along the lines of dbm, htpasswd, msql and friends; where the password gets passed around between the database and apache in a crypt()-ed format which is essentially quite easy to eavesdrop on. I had forgotten that that in http the password goes over the wire in plain text; and ends up in the env-var. Which indeed is a very bad idea. I'll crawl back into the woordwork then :-) Dw.