I would like to use my RSS reader to monitor a few timeline RSS feeds of mine from Fossil (tickets mainly). The problem is that on a few of the work projects, all repos are locked down. I cannot access the RSS feed without authenticating. I do not wish to duplicate all the username/passwords into a htpasswd setup and use REMOTE_USER because of the duplicate efforts. Thus I have made a change to fossil’s login_check_credentials method to accept the query parameters authuser and authpass. If found, it attempts to authenticate off this string. Thus, I can do:
https://myrepo/index.cgi/timeline.rss?authuser=johndoe&authpass=secret This works great, however, when thinking it through, it is not entirely secure even across https because the query string will be recorded in the access.log file which non-devs could gain access to and retrieve usernames and passwords. One could use a base64 encoding like basic http authentication, but this causes the average joe to not be able to benefit from the change because who knows to take the username and password, concat them with a : and then base64 encode them? Not very user friendly. One could encode the authuser and authpass into a POST query, but then RSS readers would not be able to take advantage of this. How do others deal with this problem? I assume it is a legit problem? I believe that encoding on the URL may be the best solution, but open for suggestions. Jeremy
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
