Htaccess: ----------- You should be aware, that when you use normal .htaccess protection, browser never logout..With eg. Internet Explorer, all intances of IE have to be closed to make the browser forget the login..
There are several tricks to make the browser forget the login, but none really secure.. One is to make a logout link that links to eg. https://logout:[EMAIL PROTECTED]/logout In the "logout" folder you make a new htaccess file that uses another htpassword file which contains a user called logout with a password called logout, but keeping the same REALM.. (the realm is importent).. This rewrite's the browser credentials for your realm with username and password "logout".. (Make sure users in /logout have no vital access offcourse) The hard part is to get ppl to use the logout link and not just closing the instance of the browser.. Second more, if your users are allowed to have pages on the same address as the login system, the browser can, without much effort, be tricked into giving away your systems username and password to a personal user page... Switches: ------------ The subject on switches.. It is a general misunderstanding that switches provide security.. There are several easy tricks to make a switch spill its guts.. They were designed for performance and no one ever promised security :) SSL: ------- No you do not need to purchase a certificate.. Simply generate your own.. Yet, in an enviroment where users share the same pc, security is hard to achive (i am assuming that youre runnig a windows enviroment), since varios keyloggers can be installed on the clients, you have access to the cache and the cookies. On this i have no wonderous advise :).. (i didnt follow the thread, only the content of this mail, so i hope im not repeating anything already said) - Dan Faerch A/S ScanNet (Denmark) ----- Original Message ----- From: "eim" <[EMAIL PROTECTED]> To: "Schusselig Brane" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, April 26, 2002 5:57 PM Subject: Re: A more secure form of .htaccess? > Hallo Brane, > > I'm actually a K-13 student, and so in my 'strategic' > position I'm on both sides, admin of debian box and 3v1l cracker :) > > No, well.. I was just kidding, I have really better things to > do than actually cracking Debian boxes in pubblic environments, > but anyway I what do you think about using https for .htaccess > authentication ? > > With https data will be encripted and it's impossible to > find out login and password because they're not sent over > the net in a clear way. > > Consider using https. > > Good work and protect your boxes ! > > - Ivo > > On Thu, Apr 25, 2002 at 09:09:03PM -0600, Schusselig Brane wrote: > > Tom Dominico wrote: > > > > > > Hello all, > > > > > > I have written some php-based internal systems for our users. Users are > > > required to authenticate to access this system, and their login > > > determines what they are allowed to do within the system. I am > > > concerned that their logging in with cleartext passwords is a security > > > risk. I work in a K-12 school enviroment, and many of these students > > > are rather devious and resourceful (as I was at that age :) ). My fear > > > is some bright student setting a sniffer up on my network and gleaning > > > passwords from it. > > > > > > I am wondering if any of you have had similar problems. What is a more > > > secure way for people to login? Is SSL an option, and if so, how do I > > > go about using it? Do I have to purchase a certificate? Or is there > > > some other option? Finally, should I be using .htaccess at all, or is > > > there a better way? Thank you in advance for your advice. > > > > Another option would be to run switches instead of normal hub or bus > > topology. Switches tend not to allow other nodes on a network to see > > data that is passing over it. However, it will more than likely prove to > > be a PITA to convince budget makers to allow the expense of the new > > equipment. > > > > Useless input, I know. But, I didn't see anyone else mention this. As a > > side note, if your installation is new enough, switches may already be > > in place, and you don't have much to worry about as far as stuff getting > > sniffed off the network. That is, of course, if the network was designed > > with that in mind. > > > > -Will Wesley, CCNA > > To make tax forms true they should read "Income Owed Us" and "Incommode > > You". > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
