And Rightfully so...Being Paranoid that is... You may want to use something a little stronger for authorization such as mysqlauth or almost any other authentication Scheme/Module...Also you may want to include nobots.txt in any directory you do not want a search engine to probe.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Gordon Sent: Tuesday, February 08, 2005 12:05 PM To: LUAU Subject: Re: [LUAU] apache security question Charles Lockhart wrote: > So, we have a script or something that every time you create a > directory in that secure directory, the script adds an .htaccess file, > and the .htaccess file is used to enforce privacy, requiring a > username and password to log in. I'm told that this should be secure > enough to keep people from accessing the private area, and to prevent > information from turning up on Google + etc. > > So my question is, is that correct? I have no webmaster experience, > and very limited privacy/security experience, so I'm not setting that > up, our network admin is, but I figured I'd get a second (third, > fourth, fifth...) opinion. > HTTP Auth should be enough for a wiki. I don't know anything about your particular wiki, soconsider the flaw of HTTP Auth for yourself. The session is handled entirely on the client-side (no specification for "logging off"). And the authetication can be passed in the URI/REFERER stings. A funky browser behavior could, in turn send this kind of info to a foreign entity (google, etc). But I may just be paranoid. Tom _______________________________________________ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
