> I am currently using Apache-1.3.14 with php-4.0.4pl1 compiled statically
> into it and running on RedHat Linux 6.2 . Apache is configured to do
> authentication for certain URLs via a auth_ldap module which is
> dynamically loaded when Apache starts.
>
> I noticed that when I access the protected URL, PHP_AUTH_PW will give me
> the password for the user who is currently logged to the protected site.
> If I recall correctly, earlier versions of PHP4 and PHP3 didn't have
> this "feature" .
Hmm. It was always there if PHP was doing the authentication -- but I dunno
if auth_ldap always had it.
You may be able to configure auth_ldap to not put it into the environment.
Now, I could be grossly mistaken, but you're only seeing your own password,
not somebody else's, right?...
> This "feature" creates a problem when the protected URL is shared by
> many parties with each party providing it's own services under the
> protected URL as any party would be able to "steal" the
> username/password without the end user knowing. The username/password is
> used to control who has access to the protected URL and the parties are
> not required to make use of the password.
Oh... I'm not sure I follow this... You're giving them access to a URL,
using a password shared by a group somehow, but they don't actually know
their own password? How does the password get into the picture to start
with?
--
Visit the Zend Store at http://www.zend.com/store/
Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
