On 2011-10-04 14:44, Neal Rhodes wrote:
We have bunches of web applications which use the regular Apache login
protection,
Do you mean HTTP Basic Auth, as defined in RFC 2616 ?
and they won't run unless REMOTE_USER is set by the Apache login.
<Limit GET>
require valid-user
</Limit>
<Limit POST PUT DELETE>
require valid-user
</Limit>
AuthName O-Visitor
AuthUserFile /usr/appl/cgi/.htpasswd
AuthType Basic
Yes, this is HTTP Basic AUTH.
It says so right there.
Looking at improving security, it would seem that it would be much
harder to conduct brute-force attacks on these systems if we could
configure Apache login to do two things:
You can't.
There is no "login", just an Authorization: header which has to be sent
for every page that requires it.
A. Present the CAPTCHA style validation prompt as part of the
login, to make it difficult for scripted attacks to proceed;
B. Lockout an individual username in the .htpasswd file after X
failed login attempts.
Actual login-ness (a state of logged in being different from a state of
not being logged in) must be achieved through non-HTTP means, possibly
supported by HTTP features such as cookies.
--
J.
