httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Basic Authentication question
Date Thu, 12 May 2005 11:22:51 GMT
> -----Original Message-----
> From: K Anand [mailto:kanand@sail-steel.com]
> Sent: Donnerstag, 12. Mai 2005 10:46
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Basic Authentication question
> 
> 
> Thanx...I used ethereal to see the flow of data between browser and
> server...one point though...I was able to see my password in 
> clear text in
> ethereal. So it is possible that it could be open to the public ??

Of course. What made you think it might be secure?

If you want to hide the PW, you have to use HTTPS. However, be aware that Basic authentication
is not very secure anyway (see http://httpd.apache.org/docs/howto/auth.html#basiccaveat)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> 
> Anand
> ----- Original Message ----- 
> From: "Boyle Owen" <Owen.Boyle@swx.com>
> To: <users@httpd.apache.org>
> Sent: Thursday, May 12, 2005 1:37 PM
> Subject: RE: [users@httpd] Basic Authentication question
> 
> 
> > -----Original Message-----
> > From: K Anand [mailto:kanand@sail-steel.com]
> > Sent: Donnerstag, 12. Mai 2005 05:52
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] Basic Authentication question
> >
> >
> > you didn't understand what I was asking...The config I have
> > included is
> > working ..I have used htpasswd and everything is working
> > fine....All I want
> > to know is how does  apache  know that I have already
> > authenticated or not ?
> 
> The first time the client requests a resource in a protected realm, it
> doesn't know it is protected so makes a plain request. The 
> server responds
> with a 401 Unauthorized. The client then pops up a password window and
> captures the username/password (aka, the credentials). The 
> client repeats
> the request but this time adds an Authorization header containing the
> credentials. The server gets the request and verifies the 
> credentials, if
> OK, it serves the resource. The client caches the credentials 
> and for all
> subsequent requests in the same realm, it adds the same Authorization
> header - that's how you stay "logged in".
> 
> That's also how it is really hard to get the browser to "forget" your
> password - even if you surf off to a different site and come 
> back a day
> later, it'll remember your credentials and send them off again.
> 
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
> >
> > Anand
> >
> > ----- Original Message ----- 
> > From: "Chris Winfield-Blum" <chris@leadingside.com>
> > To: <users@httpd.apache.org>
> > Sent: Thursday, May 12, 2005 9:14 AM
> > Subject: Re: [users@httpd] Basic Authentication question
> >
> >
> > > you will have to use the htpasswd tools located in your
> > apache bin to
> > > create the password file. then you point that directory to
> > that file: ie:
> > >
> > > /etc/httpd/conf/passwd/passwords
> > >
> > > This should do that you need :)
> > >
> > > K Anand said the following:
> > >
> > > >Hi all,
> > > >
> > > >I have a very basic question regarding authentication on
> > apache...I have
> > in
> > > >my httpd.conf a section like below :
> > > ><Directory "/var/www/cgi-bin">
> > > >    AuthType Basic
> > > >    AuthName "By Invitaion Only"
> > > >    AuthUserFile /etc/httpd/conf/passwd/passwords
> > > >    Require valid-user
> > > >
> > > >    AllowOverride None
> > > >    Options ExecCGI
> > > >    Order allow,deny
> > > >    Allow from all
> > > ></Directory>
> > > >
> > > >So whenever a browser first sends a cgi-bin request,
> > authentication is
> > done
> > > >by userid and password...Whenever subsequent requests come
> > for cgi-bin,
> > > >authentication is not required provided the browser has
> > not been closed.
> > How
> > > >is this done ?
> > > >
> > > >I know that this is not a problem but I would like to know
> > just for my
> > > >information.
> > > >
> > > >Thanx
> > > >Anand
> > > >
> > > >
> > >
> > 
> >---------------------------------------------------------------------
> > > >The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > > >See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > >For additional commands, e-mail: users-help@httpd.apache.org
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > 
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP
> > Server Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> >
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> 
> 
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any 
> mistransmission. If
> you receive this message in error, please notify the sender 
> urgently and
> then immediately delete the message and any copies of it from 
> your system.
> Please also immediately destroy any hardcopies of the 
> message. You must not,
> directly or indirectly, use, disclose, distribute, print, or 
> copy any part
> of this message if you are not the intended recipient. The 
> sender's company
> reserves the right to monitor all e-mail communications through their
> networks. Any views expressed in this message are those of 
> the individual
> sender, except where the message states otherwise and the sender is
> authorised to state them to be the views of the sender's company.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message