I've tried to search the archives/bug reports/faq's and didn't find any definitive answers on the security issue dealing with the plain text password being kept in PHP_AUTH_PW even when you use external authentication. Since it seems like the developers haven't answered any of the bug reports related to this issue, what has anyone done to remove this security issue of being able to grab user's passwords. It seems in an older version of php you could (to quote the older manual):
[Begin quote] Note however that the above does not prevent someone who controls a non-authenticated URL from stealing passwords from authenticated URL's on the same server. The PHP_AUTH_VARS define in php.h can be undefined to make sure that these variables will never be set and thus disable anybody from using mod_php to try to steal passwords. [End quote] Since it seems that variable (PHP_AUTH_VARS) doesn't exist any longer an admin can't use that method any longer. Can someone please mail me what they modified in the code or configured to disable this *feature* of external passwords being kept in PHP_AUTH_PW. I do NOT mind at all disabling PHP authentication entirely since we only use external authentication. Please mail me directly since I'm not on this list. Thanks for your time, Lenny Miceli -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
