On Wednesday, 16 May 2012 11:25:56 alexander.elg...@t-systems.com wrote:
> sure I am interested in the mod_perl answer to retrieve the AUTH password.
($pw=APR::Base64::decode $r->headers_in->{Authorization})=~s/.*://;
or
use Apache2::Access ();
($rc, $pw)=$r->get_basic_auth_pw;
> I am using mod_perl on a x86 sparc with oracle 10, 32 bit client.
>
> If the payload is stored to a harddisk, then it makes sense to encrypt the
> payload. But as said, I do not want to talk about all the reasons, why I
> prefer this solution.
With pure modperl nothing is stored/cached on disk. CGI.pm may store file
uploads. HTTP headers are not stored in any way. The operating system,
however, may decide to store this information on disk by means of virtual
memory management. To prevent that you can turn off swapping completely or
forbid swapping by locking your process into RAM (see mlockall(2)).
As for the 2 mod_rewrite based solutions, both reveal the password at least on
standard Linux to a possibly unauthorized audience even with SSL if a
traditional CGI script is involved. Both rely on passing the information via
the process environment which is readable via /proc. This is perhaps the
reason why the header was not passed on in the first place.
Torsten Förtsch
--
Need professional modperl support? Hire me! (http://foertsch.name)
Like fantasy? http://kabatinte.net
