[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A more secure form of .htaccess?

On Sat, Apr 27, 2002 at 03:32:45AM +0200, martin f krafft wrote:
> also sprach Dan Faerch <dan@fake.dk> [2002.04.26.1955 +0200]:
> > Second more, if your users are allowed to have pages on the same
> > address as the login system, the browser can, without much effort,
> > be tricked into giving away your systems username and password to
> > a personal user page...
> 
> how?

Take a look at http://www.php.net/manual/ro/features.http-auth.php

If someone's already logged in, and they visit a webpage on the same domain
which asks for a username and password for the same realm as the one used to
log in, the browser will send the username/password pair without asking the
user for any confirmation.

At least I assume that's what Dan meant above and I assume that that would
happen (I haven't tried it myself).

Gareth


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: