2009/2/1 Michele Waldman <mmwald...@nyc.rr.com>: The userlist (http://httpd.apache.org/userslist.html) might be a better place, but...
> I want to do the following in htaccess for account security: > > <FilesMatch ".*[^(wp_login.php|logout.php)]"> That would not do what it should do. [^...] is a negated character class to exclude certain characters but not a specific string. You'll need a negative lookahead <FilesMatch "^(?!wp_login\.php|logout\.php)"> > Basic authentication doesn't "remember" the authtype, but Digest does. AuthType? AuthName, I guess. > I'm connecting over a secure certificate. I believe a user could possible > telnet and send an authorization header? I'd expect that you/your module would require SSL/TLS, but if a client sends an authorization request header which contains 'Account', you'd "authenticate". Not very secure?! > I want to know the risk of them getting or guessing the right AuthType under > these circumstances. If you're requesting wp_login.php AuthName should be served. Of course, someone needs to know that; you could perform a probability calculation, of course. Expect the unexpected. > The point of this is to avoid the ugly popus that require authentication > causes. How do you convince the client to send an authorization request header? Via such a popup for wp_login.php. Once authenticated the popup shouldn't appear for that session and realm but I guess your point is that no one should see that they can authenticate except they are using the back door link wp_login.php? > Does anyone have any suggestions on a better approach? May be. If my last assumption is your point modify/write an auth module which replies with a - 401 - for certain URLs (e.g. /wp_login.php) if no authorization header was present or - for all URLs if an authorization header was present but the credentials didn't match; or with a - 403 if the condition for a 401 didn't match. The bottom line would be that the client is either authenticated or receives a 403 forbidden instead of a 401. Bob
