On Fri, 26 Jan 2001 17:36:57 -0600, Richard Lynch <[EMAIL PROTECTED]>
wrote :
> > I am currently using Apache-1.3.14 with php-4.0.4pl1 compiled
> statically
> > into it and running on RedHat Linux 6.2 . Apache is configured
> to do
> > authentication for certain URLs via a auth_ldap module which
> is
> > dynamically loaded when Apache starts.
> >
> > I noticed that when I access the protected URL, PHP_AUTH_PW
> will give me
> > the password for the user who is currently logged to the
> protected site.
> > If I recall correctly, earlier versions of PHP4 and PHP3 didn't
> have
> > this "feature" .
>
> Hmm. It was always there if PHP was doing the authentication --
> but I dunno
> if auth_ldap always had it.
errmm.. PHP wasn't doing the authentication. Basically I am using the
basic Apache .htaccess authentication which calls auth_ldap to do
authentication to a backend LDAP server. PHP is just used for "simple"
website scripting and such.
previously when using earlier versions of PHP3 and PHP4 (can't really
recall the versions number), I am quite certain PHP_AUTH_PW doesn't hold
the user's password (under exactly the same configuration) as back then
I was *trying* to find means and ways to get out the password so as to
automate certain processess without the user having to enter the
password multiple times but it was not successful. Only after upgrading
to 4.0.3 then I noticed that PHP_AUTH_PW is now holding the user's
password.
> Now, I could be grossly mistaken, but you're only seeing your own
> password,
> not somebody else's, right?...
yeap... i am seeing my own password.
> > This "feature" creates a problem when the protected URL is
> shared by
> > many parties with each party providing it's own services under
> the
> > protected URL as any party would be able to "steal" the
> > username/password without the end user knowing. The
> username/password is
> > used to control who has access to the protected URL and the
> parties are
> > not required to make use of the password.
>
> Oh... I'm not sure I follow this... You're giving them access
> to a URL,
> using a password shared by a group somehow, but they don't
> actually know
> their own password? How does the password get into the picture
> to start
> with?
errm not really. each person has his/her own username/password which is
unique and personal to each person and is also used for other purposes.
The situation is that I have this main site which requires each person
to "login" using their own username/password before gaining access so as
to prevent unauthorised access to the site. And then within the site
itself, there are different groups of developers (which may or may not
be the same as the users, they can be outsiders too) which write their
own programs for different purposes, i.e. forum, chatroom etc.
So the problem arises as these developers will be able to capture the
password of the user who is accessing the program for good or for bad
without the user knowing at all as the developer can just save the
PHP_AUTH_USER and PHP_AUTH_PW into somewhere and this could constitute a
security problem.
Erm... do you have any idea how to overcome this problem?
Many thanks in advance for your help!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
