httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michele Waldman" <mmwald...@nyc.rr.com>
Subject Making mod_auth_digest mysql
Date Sun, 01 Feb 2009 20:19:38 GMT
I hope I got the email correct.  I'm trying to post to the mailing list.

 

I want to do the following in htaccess for account security:

<FilesMatch ".*[^(wp_login.php|logout.php)]">

SetEnvIf Authorization "^(.*)Account(.*)$" logged_in

Order Allow,Deny

Allow from env=logged_in

</FilesMatch>

<Files wp_login.php>

AuthType Basic

AuthName "Account"

require group account

</Files>

<Files logout.php>

AuthType Basic

AuthName "Leave"

require group leave

</Files>

 

Basic authentication doesn't "remember" the authtype, but Digest does.

Cookies are too insecure because they are readily editable.

I'm connecting over a secure certificate.  I believe a user could possible
telnet and send an authorization header?

I want to know the risk of them getting or guessing the right AuthType under
these circumstances.

How vulnerable is the request authorization header?

Also, it seems to me I could rewrite mod_auth_digest to use mysql by
modifying the code recompiling and linking in the new object.

I haven't tried it yet, so I don't know the obstacles.  I'd like to know if
this is a worthwhile endeavor first and how much of a security risk will be
introduced.

The point of this is to avoid the ugly popus that require authentication
causes.

Does anyone have any suggestions on a better approach?

 

Michele

 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message