I don't believe these considerations represent actual risks of using web-server based authentication (.htaccess files).
- Once a user is authenticated, the script can still tell who they are, and assume roles based on that information. - There are many scripts out there that can manage NCSA/Apache style BasicAuth (.htaccess/.htpasswd) files via a web page, with varying levels of access control. I use .htaccess files to link the web server up with MySQL/Postgresql or LDAP databases, instead of having the passwords in a text file. Then I'll have a web-based (or command-line based, or Windows desktop based) program that allows users to change their own information in the database. - .htaccess files, in a basic configuration (i.e. text-file passwords) are really no less secure than the text of your Perl script. The common misconfigurations of the web server that cause .htaccess files to be readable also make the perl scripts in the same directory readable. If you use a databasized .htaccess, then passwords aren't kept in any file accessible by the web server. On 30 Aug 2002, Gfoo wrote: > > > > > you have ruled out using .htaccess for some reason? > > > > > > ciao > > drieux > > > > --- > > > > > > I don't want to use .htaccess, because: > - there are scripts that their actions depend on the role of the user that > executes them. For example there is a script all users can execute it, but > its output is different for every user/user_id. > - I want the users to be able to change their profile info and passwords > from around the world, without having to log-in on a server to do that. > - I also want to have a (web) administration console that can be used to > manage users accounts that can be used by users without knowledge of how > apache and .htaccess files work. > - I think .htaccess files are a bit more "open" to be retrieved by > individuals trying to break the system. > > Gfoo > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
