httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: Programming a timeout into Apache
Date Tue, 31 Aug 2004 18:25:51 GMT

On Tue, 31 Aug 2004, Wallace, Brian S. wrote:

> Are there any tricks that can be done like telling the browser to clear
> the password cache

Not that I know. And this list is mrore for the development of apache so
not sure if this is the right place.

> or have the browser return the realm name that it's authenticating to?
> Any other ideas or approaches to this problem would be appreciated.

Approaches I've used:

* prefix the path with a random string; and only ask for an auth beyond
that string. Most browsers will not try to use the password; or happily
flash the popup box when a new prefix is seen. The timeout is simply (in
my case) based on an MD5 of a secret, the clients IP address, the time of
issue followed by a plaintext time itself. When the timeout comes the
module accepts the connection; accepts the password as usual but does a
redirect to a new prefix.

* use the password in a form to set a crypto cookie or forward to a random
page (i.e. postfix with a /counter++) and ask auth there (digest perhaps).
If you must do it as your own module you can rip some ideas out of the 2.0
code or out of http://www.apache.org/~dirkx/mod_auth_jabber/

* for the truly evil (and I've only done this only in intranet situation;
not sure how wise this is on an internet); put in a wildcard DNS entry;
use server alias and use trick a with a random prefix in the FQDN. This
fixes the issue with some corperate IE vrsions which also offer up the
NT real username/passwd unsolicited.

Dw

Mime
View raw message