Randomly set AuthName in Apache?

As you know there is a little tip in MSIE being at the same time a little security bug - autocomplete of the password when using .htaccess authorization. AFAIK there is one way to void it without changing MSIE setting - proividing random AuthName when asking for password.

Now my question - how to make Apache to randomize AuthName in .htaccess?
I know there's a way to rewrite (for example from cron) each .htaccess, but I'm looking for some easier (more reliable) way.

THXia

Maciek Sonik [maciek@sonik.pl]

Great idea but I think it won't work the way you like it.

1) It's a waste of resource to run it from cron to modify the AuthName if there is no request made to your site
2) Without cron, once a request is made, you can call up an external script to do the AuthName modification or within the same script. But the problem raises when such request is complete, your visitor has to re-enter his password again when he clicks on something else. So you really need to figure out when is the right time to alter the AuthName
3) >>in MSIE being at the same time a little security bug - autocomplete of the password
Netscape 6.0 PRx and Mozilla Mx now have the same feature

Note that if htaccess is allowed, it's the first file to be read before your user's request document (could be a script or a file or even an image)

>>Now my question - how to make Apache to randomize AuthName in .htaccess?
Apache itself doesn't do that. It has to be done from a script.

[This message has been edited by freebsd (edited August 27, 2000).]

[B]Great idea but I think it won't work the way you like it.

Look at http://www.eranet.pl/servlet/com.sun.webaccess.selector.Frameset?realm=Sims

I know that it's not an Apache but that's how it works. Everytime you try to login the Realm is different...

What do you think - is it only possible using some kind of servlet?

Maciek Sonik [maciek@sonik.pl]

>>Everytime you try to login the Realm is different

What about surfing from one page to another?

>>Look at http://www.eranet.pl/servlet/com.sun.webaccess.selector.Frameset?realm=Sims

Can't look without a password

What about surfing from one page to another?

Once you're logged in you can surf all pages in that directory.

Can't look without a password
Sorry, can't give you mine.

MS


[This message has been edited by macieksonik (edited August 27, 2000).]

>>Sorry, can't give you mine

Well, can't check that out without a password.

Anyway, instead of altering the AuthName, I can only think of using "Apache-AuthCookie" to force IE users to get login prompt everytime.

Apache-AuthCookie-2.011.tar.gz can be downloaded at -> http://www.perl.com/CPAN-local/modules/by-module/Apache

You need to customize a script to delete cookie when the session ends. On next visit, your user will have to enter password again since he got no cookie.
You should go ahead and download Apache-AuthCookie-2.011.tar.gz and check out what is it all about.

Note, altering the global AuthName is not the right approach. Each user needs to be customized or be ticket-based.

[This message has been edited by freebsd (edited August 27, 2000).]