httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] Is it wise and feasible to write .htaccess file for my application??
Date Tue, 31 Aug 2004 07:30:37 GMT
1) Plain text please...
2) List users don't appreciate stupid ads - please disable.

Regarding your question - I presume you really mean "Is it wise and
feasible to use Basic Authentication for my application??" To explain:
.htaccess is a mechanism for applying directives to apache from a file
in a directory and without editing the main config or restarting the
server. Among the many directives you can put in a .htaccess file are
those of mod_auth which provide password authentication. However, a) you
can put other directives in a .htaccess and b) you can put your mod_auth
directives directly in the main config.

That aside, the Basic Authentication scheme has its limitations:
- usernames and passwords (the credentials) are sent in simple base64
encoding in the request header. You need to wrap the URL in SSL to truly
encrypt the credentials.
- there is no limit on failed requests or request retry rate (cf. unix
shell) - makes it vulnerable to brute-force cracking methods.
- there is no alert on failed attempts (cf. unix shell); you'd need to
scan the logs.
- password authentication is based on a linear scan through the password
file. If you have thousands of users this can get slow. However, as
Joshua reported on an earlier thread, a DBM-based module exists to speed
this up.
- you can have only one level of authentication (you can't nest realms).

Read for a step-by-step

For high performance user authentication and authorization you need to
migrate to a session-based approach (ie, cookies). This requires quite a
heavy server-sided application (eg, CGI, PHP, Java)

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

-----Original Message-----
From: Singh []
Sent: Montag, 30. August 2004 20:37
Subject: [users@httpd] Is it wise and feasible to write .htaccess file
for my application??

Hi experts...
Well i want to clarify that is it wise and feasible to write .h

taccess file for my application which will be live24/7 to thousands of
users. I have almost implemented all the things which are suggested to
secure apache in the Apachedocs. My envt is RHL 9.0/ Apache2.0 with
mod_mono/ Mono 1.0. The users will be accessing some other directories
too in the main application directory. e.g if i have placed the
application directory "apps" as under /var/www/html/apps, now in this
apps directory i have some other directories which the users will be
needing to retrieve some data for thier use. Should i check for the
authentication at that level too? All I want is that only valid users
may have access to that data. Although at the first entry point the .NET
applcation asks for the authentication of the valid user but i was still
wondering from my, i mean Apache's point of view. I dont know whether
this is a valid question or not and i need your help. So from that point
of view what do you suggest? What are the "MUST" security options that i
need to take care of in Apache/RHL? I would really appreciate if you
could guide me step by step...
Thanks in advance
Best Regards

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message