I have an Apache 2.2.8 server all set up with mod_authnz_ldap to
authenticate via LDAP user/password pairs. It's all SSL to the web
server, SSL between the web server and LDAP, so it's pretty secure
even though it's Basic auth. By the time the PHP script runs, the
user has already authenticated and the PHP code can trust the value of
PHP_AUTH_USER.
So, how can I NOT have PHP_AUTH_PW set? I'd kinda rather not have
people's passwords just hanging around in $_SERVER for code to do
whatever it wants with it.
8  5074 
Mark Reed wrote:
I have an Apache 2.2.8 server all set up with mod_authnz_ldap to
authenticate via LDAP user/password pairs. It's all SSL to the web
server, SSL between the web server and LDAP, so it's pretty secure
even though it's Basic auth. By the time the PHP script runs, the
user has already authenticated and the PHP code can trust the value of
PHP_AUTH_USER.
So, how can I NOT have PHP_AUTH_PW set? I'd kinda rather not have
people's passwords just hanging around in $_SERVER for code to do
whatever it wants with it.
Unless someone hacks your server, it isn't a problem. But if someone
hacks the server, you have more important things to worry about.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
On May 8, 7:53*pm, Jerry Stuckle <jstuck...@attglobal.netwrote:
Mark Reed wrote:
So, how can I NOT have PHP_AUTH_PW set? *I'd kinda rather not have
people's passwords just hanging around in $_SERVER for code to do
whatever it wants with it.
Unless someone hacks your server, it isn't a problem. *But if someone
hacks the server, you have more important things to worry about.
It's not quite that simple. I'm more concerned about passwords
accidentally being revealed than I am about malicious attacks, since
the server is on a corporate LAN that's not exposed to the Internet.
Having the password hang around means that something as simple as
adding a print_r($_SERVER); for debugging purposes will cause the
password to show up in clear text in the browser window. That's not
cool.
Mark Reed wrote:
On May 8, 7:53 pm, Jerry Stuckle <jstuck...@attglobal.netwrote:
>Mark Reed wrote:
>>So, how can I NOT have PHP_AUTH_PW set? I'd kinda rather not have
people's passwords just hanging around in $_SERVER for code to do
whatever it wants with it.
Unless someone hacks your server, it isn't a problem. But if someone
hacks the server, you have more important things to worry about.
It's not quite that simple. I'm more concerned about passwords
accidentally being revealed than I am about malicious attacks, since
the server is on a corporate LAN that's not exposed to the Internet.
Having the password hang around means that something as simple as
adding a print_r($_SERVER); for debugging purposes will cause the
password to show up in clear text in the browser window. That's not
cool.
If you can't trust your developers, you're in trouble.
And anything you take out they can easily bypass.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
On May 9, 11:33 am, Jerry Stuckle <jstuck...@attglobal.netwrote:
If you can't trust your developers, you're in trouble.
And anything you take out they can easily bypass.
For the third time, I'm not worried about malicious attacks. I don't
care how much I trust my developers... and in this case, I'm also the
developer, so that's a lot of trust... I don't want anyone's passwords
exposed. That said, I'm not trying to make it impossible to retrieve
passwords - all I'm trying to do is make it not automatic. This does
not seem to me like an outlandish request.
I don't even understand why the password is made available in the
first place. It seems that either you're doing the authentication
with PHP code, in which case the password is submitted to PHP as a
form field, or you're doing it in the web server, in which case the
PHP has no need to ever see the password.
Anyway, if you don't know of a way to prevent this behavior, that's
fine, but please stop telling me that it's unreasonable for me to want
to do so.
I'd settle for a way to insert a script that unsets it before any
other PHP is run. I don't suppose there's any way to insert a PHP
script that gets executed ahead of any other PHP code on the site?
Mark Reed wrote:
On May 9, 11:33 am, Jerry Stuckle <jstuck...@attglobal.netwrote:
>If you can't trust your developers, you're in trouble.
And anything you take out they can easily bypass.
For the third time, I'm not worried about malicious attacks. I don't
care how much I trust my developers... and in this case, I'm also the
developer, so that's a lot of trust... I don't want anyone's passwords
exposed. That said, I'm not trying to make it impossible to retrieve
passwords - all I'm trying to do is make it not automatic. This does
not seem to me like an outlandish request.
I don't even understand why the password is made available in the
first place. It seems that either you're doing the authentication
with PHP code, in which case the password is submitted to PHP as a
form field, or you're doing it in the web server, in which case the
PHP has no need to ever see the password.
Anyway, if you don't know of a way to prevent this behavior, that's
fine, but please stop telling me that it's unreasonable for me to want
to do so.
I'd settle for a way to insert a script that unsets it before any
other PHP is run. I don't suppose there's any way to insert a PHP
script that gets executed ahead of any other PHP code on the site?
Not without the possibility of it being bypassed.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Mark Reed wrote:
On May 9, 11:33 am, Jerry Stuckle <jstuck...@attglobal.netwrote:
>If you can't trust your developers, you're in trouble.
And anything you take out they can easily bypass.
For the third time, I'm not worried about malicious attacks. I don't
care how much I trust my developers... and in this case, I'm also the
developer, so that's a lot of trust... I don't want anyone's passwords
exposed. That said, I'm not trying to make it impossible to retrieve
passwords - all I'm trying to do is make it not automatic. This does
not seem to me like an outlandish request.
I don't even understand why the password is made available in the
first place. It seems that either you're doing the authentication
with PHP code, in which case the password is submitted to PHP as a
form field, or you're doing it in the web server, in which case the
PHP has no need to ever see the password.
Anyway, if you don't know of a way to prevent this behavior, that's
fine, but please stop telling me that it's unreasonable for me to want
to do so.
I'd settle for a way to insert a script that unsets it before any
other PHP is run. I don't suppose there's any way to insert a PHP
script that gets executed ahead of any other PHP code on the site?
The only person you'd be protecting against is you. I think you should stop
getting fixated on something that is a total waste of time and get on with
something useful.
Wow. Somewhat judgmental as a group, are we? I wasn't aware I was
"fixated" on anything, and I'm pretty sure my supervisors - and the
compliance auditors - would disagree that it's a "waste of time" to
try and prevent the accidental disclosure of passwords.
Anyway.
To those who replied with actual information instead of flak, thank
you very much. I hadn't found "auto_prepend_file" because I hadn't
looked for "prepend" (I tried "prefix", "prolog(ue)", etc). But now I
have it working = I'm using Apache2's php_admin_value directive to set
auto_prepend_file, so it won't be overridden by .htaccess. I'm sure
there are five zillion ways around this setup, but again, I'm not
interested in preventing attacks, only accidents.
Thanks again.
Greetings, Mark Reed.
In reply to Your message dated Monday, May 12, 2008, 21:00:53,
Wow. Somewhat judgmental as a group, are we? I wasn't aware I was
"fixated" on anything, and I'm pretty sure my supervisors - and the
compliance auditors - would disagree that it's a "waste of time" to
try and prevent the accidental disclosure of passwords.
Anyway.
To those who replied with actual information instead of flak, thank
you very much. I hadn't found "auto_prepend_file" because I hadn't
looked for "prepend" (I tried "prefix", "prolog(ue)", etc). But now I
have it working = I'm using Apache2's php_admin_value directive to set
auto_prepend_file, so it won't be overridden by .htaccess. I'm sure
there are five zillion ways around this setup, but again, I'm not
interested in preventing attacks, only accidents.
Just to add a word:
To prevent revealing of something, DO NOT do that at all.
If You do not want to disclose variable, do not use it for anything.
In Your case: do not use native HTTP authentication.
--
Sincerely Yours, AnrDaemon <an*******@freemail.ru> This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: BT3 |
last post by:
(newbie)
I have taken some code directly out of a book:
<?php
// if we are using IIS, we need to set $PHP_AUTH_USER and $PHP_AUTH_PW
if (substr($SERVER_SOFTWARE, 0, 9) == 'Microsoft' &&...
|
by: Felix Wiemann |
last post by:
Sometimes (but not always) the __new__ method of one of my classes
returns an *existing* instance of the class. However, when it does
that, the __init__ method of the existing instance is called...
|
by: Mike |
last post by:
How do I prevent SQL Server 2000 from posting successful backup
completion messages to the Windows 2000 Application Event Log?
I have scheduled jobs which backup my transaction logs on 50+...
|
by: Tony Maresca |
last post by:
Hi. I have a class derived from a UserControl,
that I want to allow others to derive controls
from. I don't want them to design the base
class (which is derived from a UserControl).
I know that...
|
by: Ray Stevens |
last post by:
I know there is a setting that will prevent screen flashing when refreshing
a web page but cannot seem to find it. Can someone point me in the right
direction?
|
by: rbragg |
last post by:
In my db, I have the fields user and pass with one record.
With the following code, I get a continuous dialog box display. If I put in a bogus user/pass OR the correct user or pass, the dialog box...
|
by: Yofnik |
last post by:
Hello all,
I need your help. Internet Explorer 6+ has a registry setting (UseHR)
that will automatically scale images for displays with high resolution
(DPI).
I am building a web based...
|
by: Arthur Dent |
last post by:
Hello all, i am at idea's end here...
We have an ASP.NET 2 app, which we want to prevent from ever timing out... i
have tried every thing i can think of... and have search all over, and have
not...
|
by: gsherp |
last post by:
How do I unset PHP_AUTH_USER and PHP_AUTH_PW?
I am trying to create a logout script and I am encountering a problem where when go to relogin, I am already logged in.
In my logout script, I...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
