On Wed, 2002-04-10 at 11:18, Mark Komarinski wrote: > If you created www.foo.com/secure that was password-protected, > the password/username gets passed back and forth for each page > underneath it (http://httpd.apache.org/docs/howto/auth.html#basiccaveat) > The referenced page mentions this as a caveat for basic auth, but > probably is true no matter what kind of authentication you use.
Through all of that, I never even thought about using Apache's built-in authentication system. I was thinking about an actual login page, maybe using PHP sessions or something. I'll have to look into this.... > From there, it shows up as a variable to the CGI/PHP scripts that can > pull it out if it knows where to look. It would require hacking of > each application, but I think it can be done. No matter what I do, it will require some hacking of each application, but I'm starting to like this idea. If I remember correctly, you can set up the htpasswd file to use encrypted passwords, which beats a backend MySQL database authenticaton. > If you go this route, SSL all the way. But you probably knew that. That is a given ;-) I only run Apache-ssl these days. This is all for internal (intranet) use anyway. The only way for people in the field to access this stuff will be via VPN, so the security will be fairly tight. Thanks, Kenny -- ---------------------------------------------------------------------------- "Tact is just *not* saying true stuff" -- Cordelia Chase Kenneth E. Lussier Sr. Systems Administrator Zuken, USA PGP KeyID CB254DD0 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCB254DD0 ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************