Menu
▾
▴
Re: [Phpwiki-talk] Permissions for index.php -- hide MySQL password?
|
From: Reini U. <ru...@x-...> - 2003-12-23 14:03:04
|
Sergio Trejo schrieb: > I saw someone also post recently about using a .htaccess file > (presumably using Basic Authentication) which is really perhaps not a > good idea considering the password gets sent in the clear. Also noticed > the suggestion to use mod_auth_mysql. But getting back to the idea of > authenticating for access to a PHPWiki instance via the context of > .htaccess (or directory context in httpd.conf, etc.) ... what about the > possibility of using Digest Authentication (mod_auth_digest)? I know its > still considered experimental by Apache since the server doesn't check > the nonce reflected by the browser (and for a while there was a problem > with browsers not supporting MD5 digest authentication), but most modern > day browsers I think are now supporting digest access. Perhaps its > overkill to use both digest (such as at the Wiki's root directory such > that .htaccess files are not constantly being parsed by httpd for every > request in subrealms)? Just an idea perhaps worth contemplating. You can setup any auth scheme, whatever you want. But I don't think that http digest auth has wide client support. everybody still uses Basic, with the password md5'ed in the header. but you need a sniffer to get at these. What I wrote about .htaccess auth, is that we will include a file-style auth scheme, which can be used optionally, similar to basic http auth. That means, you don't get the browsers popup with user/password, instead you can login at the normal phpwiki login page and authenticate against any htaccess style file. (username:encrypted_password\n...) such files are very simple to maintain and easier to setup, than http auth, which needs support by the local system administrator. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
