#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2001
    Location
    South Yorkshire
    Posts
    442
    Rep Power
    24

    .htaccess security


    I'm in the process of writing a web application and am starting to look into the authorisation of things.

    I've been using .htaccess securty for quite a will and also PHP sessions, and MySQL password stuff.

    For this web app, i'm gonna be using the .htaccess (hopefully) as a MySQL server will not be available.

    What my qestion is, is the .htaccess authorisation secure enough?

    Are the passwords transmitted from the client to the web server encrypted ot not?
    regards,

    pgudge
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2001
    Location
    South Yorkshire
    Posts
    442
    Rep Power
    24
    Whats with DevShed these days? No one, no answers.

    anyway, found the solution. And just if anyone else is seeking an answer to the question,

    passwords are not sent encrypted, but not send plain text, they are sent uuencoded, so any one watching the packets fire around the networks will not see the plain text passwords.

    But anyone catching the right packets would be able to capture the password(s).
    regards,

    pgudge
  4. #3
  5. Mobbing Gangster
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Sep 2001
    Location
    "Best City" 2002 and 2003- Melbourne, Australia
    Posts
    4,912
    Rep Power
    32
    passwords are not sent encrypted, but not send plain text, they are sent uuencoded, so any one watching the packets fire around the networks will not see the plain text passwords.

    But anyone catching the right packets would be able to capture the password(s).
    That only happens in Basic authentication. When you're using Digest authentication your passowrd is sent in md5 - and that is pretty secure. Look into mod_auth_digest for more information.
    And you know I mean that.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    sending your password md5-encoded is just as secure as sending clear-text (if you donīt consider script-kiddies - that donīt know really know what they are doing - catching your output).

    you can just repeat the sent data (md5encoded) and it will log you in just as plain-password.

    for better security there is no way around SSL!

IMN logo majestic logo threadwatch logo seochat tools logo