#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2000
    Posts
    3
    Rep Power
    0
    As you know there is a little tip in MSIE being at the same time a little security bug - autocomplete of the password when using .htaccess authorization. AFAIK there is one way to void it without changing MSIE setting - proividing random AuthName when asking for password.

    Now my question - how to make Apache to randomize AuthName in .htaccess?
    I know there's a way to rewrite (for example from cron) each .htaccess, but I'm looking for some easier (more reliable) way.

    THXia

    Maciek Sonik [maciek@sonik.pl]
  2. #2
  3. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    Great idea but I think it won't work the way you like it.

    1) It's a waste of resource to run it from cron to modify the AuthName if there is no request made to your site
    2) Without cron, once a request is made, you can call up an external script to do the AuthName modification or within the same script. But the problem raises when such request is complete, your visitor has to re-enter his password again when he clicks on something else. So you really need to figure out when is the right time to alter the AuthName
    3) >>in MSIE being at the same time a little security bug - autocomplete of the password
    Netscape 6.0 PRx and Mozilla Mx now have the same feature

    Note that if htaccess is allowed, it's the first file to be read before your user's request document (could be a script or a file or even an image)

    >>Now my question - how to make Apache to randomize AuthName in .htaccess?
    Apache itself doesn't do that. It has to be done from a script.

    [This message has been edited by freebsd (edited August 27, 2000).]
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2000
    Posts
    3
    Rep Power
    0
    [B]Great idea but I think it won't work the way you like it.

    Look at http://www.eranet.pl/servlet/com.sun...set?realm=Sims

    I know that it's not an Apache but that's how it works. Everytime you try to login the Realm is different...

    What do you think - is it only possible using some kind of servlet?

    Maciek Sonik [maciek@sonik.pl]
  6. #4
  7. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    >>Everytime you try to login the Realm is different

    What about surfing from one page to another?

    >>Look at http://www.eranet.pl/servlet/com.sun...set?realm=Sims

    Can't look without a password
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2000
    Posts
    3
    Rep Power
    0
    What about surfing from one page to another?

    Once you're logged in you can surf all pages in that directory.

    Can't look without a password
    Sorry, can't give you mine.

    MS


    [This message has been edited by macieksonik (edited August 27, 2000).]
  10. #6
  11. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    >>Sorry, can't give you mine

    Well, can't check that out without a password.

    Anyway, instead of altering the AuthName, I can only think of using "Apache-AuthCookie" to force IE users to get login prompt everytime.

    Apache-AuthCookie-2.011.tar.gz can be downloaded at -> http://www.perl.com/CPAN-local/modules/by-module/Apache

    You need to customize a script to delete cookie when the session ends. On next visit, your user will have to enter password again since he got no cookie.
    You should go ahead and download Apache-AuthCookie-2.011.tar.gz and check out what is it all about.

    Note, altering the global AuthName is not the right approach. Each user needs to be customized or be ticket-based.

    [This message has been edited by freebsd (edited August 27, 2000).]

IMN logo majestic logo threadwatch logo seochat tools logo