httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Jones" <b...@fccj.org>
Subject Re: Passing passwords to CGI
Date Wed, 04 Aug 1999 11:06:14 GMT
> Hi all,
> 
> I have the need for a CGI program to know the username and password the
> user logged in with, so that I can use this info to bind to an LDAP
> server. I know that the username is passed in the environment, but what
> about the password? Can Apache do this?
>
> If not, are there security issues with passing the password in the
> environment? Anyone know of any patches so that Apache can do this?
>
> Is there a "correct" way of doing this?
>
> Regards,
> Graham

:]

You can just ask them to 'log in' a fake form.  We do that using https (port
443) with digital certificates.

Then, using normal CGI, capture the UserID and Passwd anyway you want...

CGI, HTTP, and the Internet as a whole is not secure by it's nature.

I would highly recommend either Raven, Stronghold, or doing it yourself
using Apache-SSL (if you are building secure servers outside the US.)


HTH,
-Sneex-  :]
______________________________________________________
 "Never Mind" -- I'll improvise, adapt, and overcome;
  everything else will be deleted...

         Jacksonville Perl Mongers
         http://jacksonville.pm.org
         jax@jacksonville.pm.org

Mime
View raw message