httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Ionescu <bobsie...@googlemail.com>
Subject Re: Making mod_auth_digest mysql
Date Fri, 06 Feb 2009 01:40:48 GMT
2009/2/1 Michele Waldman <mmwaldman@nyc.rr.com>:
The userlist (http://httpd.apache.org/userslist.html) might be a
better place, but...

> I want to do the following in htaccess for account security:
>
> <FilesMatch ".*[^(wp_login.php|logout.php)]">

That would not do what it should do. [^...] is a negated character
class to exclude certain characters but not a specific string. You'll
need a negative lookahead

<FilesMatch "^(?!wp_login\.php|logout\.php)">

> Basic authentication doesn't "remember" the authtype, but Digest does.

AuthType? AuthName, I guess.

> I'm connecting over a secure certificate.  I believe a user could possible
> telnet and send an authorization header?

I'd expect that you/your module would require SSL/TLS, but if a client
sends an authorization request header which contains 'Account', you'd
"authenticate". Not very secure?!

> I want to know the risk of them getting or guessing the right AuthType under
> these circumstances.

If you're requesting wp_login.php AuthName should be served. Of
course, someone needs to know that; you could perform a probability
calculation, of course. Expect the unexpected.

> The point of this is to avoid the ugly popus that require authentication
> causes.

How do you convince the client to send an authorization request
header? Via such a popup for wp_login.php. Once authenticated the
popup shouldn't appear for that session and realm but I guess your
point is that no one should see that they can authenticate except they
are using the back door link wp_login.php?

> Does anyone have any suggestions on a better approach?

May be. If my last assumption is your point modify/write an auth
module which replies with a
 - 401
   - for certain URLs (e.g. /wp_login.php) if no authorization header
was present or
   - for all URLs if an authorization header was present but the
credentials didn't match;

or with a
 - 403 if the condition for a 401 didn't match.

The bottom line would be that the client is either authenticated or
receives a 403 forbidden instead of a 401.

Bob

Mime
View raw message