httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Re: [users@httpd] AuthType, Content hashing for LDAP
Date Fri, 05 Dec 2008 18:29:40 GMT
On Fri, 5 Dec 2008 17:28:17 +0200
"Johnny Edge" <> wrote:

> Everything is fine and works as expected, however I much prefer to
> have the 'Authorization: Basic YXBhY2hldXNlcjphcGFjaGVwYXNz' header
> encrypted and not available to a var such as $_SERVER["PHP_AUTH_PW"]
> in PHP while not harming the ldap functionality.

Isn't there a PHP option to suppress that?  With CGI the password
is always withheld unless you compile with BIG_SECURITY_HOLE?

You could use RequestHeader.

> Do you reckon there is a work around for this, i.e. w/ mod Digest or
> other means?

That'll work around it too, to the extent that the credentials
exposed to PHP will be of no use to a cracker.  But better just
to remove it, or replace it with a dummy value.

Nick Kew

Application Development with Apache - the Apache Modules Book

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message