I don't think it is easy to steal the password by using PHP_AUTH_PW.
PHP_AUTH_PW is cached in the browser, if you exit the browser, nobody can
steal it. If the other people is using a different browser, there is no way
for him to steal it even if he is accessing the same URL.
Just my understanding.
David
>From: Chen Shiyuan <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: [PHP] AUTH_PW & External Authentication
>Date: Fri, 26 Jan 2001 23:50:17 +0800 (SGT)
>
>Hello everyone!
>
>I am currently using Apache-1.3.14 with php-4.0.4pl1 compiled statically
>into it and running on RedHat Linux 6.2 . Apache is configured to do
>authentication for certain URLs via a auth_ldap module which is
>dynamically loaded when Apache starts.
>
>I noticed that when I access the protected URL, PHP_AUTH_PW will give me
>the password for the user who is currently logged to the protected site.
>If I recall correctly, earlier versions of PHP4 and PHP3 didn't have
>this "feature" .
>
>This "feature" creates a problem when the protected URL is shared by
>many parties with each party providing it's own services under the
>protected URL as any party would be able to "steal" the
>username/password without the end user knowing. The username/password is
>used to control who has access to the protected URL and the parties are
>not required to make use of the password.
>
>Is there anyway to disable this "feature" or is the disclosure of the
>password a bug?
>
>Many thanks for any advice!
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
