If you are improving applications, and want to stay compatible to old code, it is needed to do small steps. Do it just a little better in any step. If you introduce new features, in an complex environment you can't do all at once. Sometimes adding encryption is not needed, but the decision to encrypt or not encrypt may change. It is simpler to explain an application, if you say "all the data is encrypted and stored encrypted on the harddisk, without a breach in the chain". The application uses SSL and non-SSL. Adding a encryption adds only a little bit more security, but it is a step.
It is really annoying to see all these questions, which suggest a complete rewrite. Sure, I can do. -- Deutsche Telekom AG Seamless ICT Security Infrastructure & Management im Auftrag T-Systems International GmbH Dipl. Inf Alexander Elgert Langwadener Strasse 17 64625 Bensheim +49 176 22 717 661 (Mobil) +49 671 83419-12 (Tel) +49 671 83419-30 (Fax) E-Mail: alexander.elg...@gmx.de ________________________________________ Von: André Warnier [a...@ice-sa.com] Gesendet: Dienstag, 15. Mai 2012 23:33 An: mod_perl list Betreff: Re: AW: AUTH password alexander.elg...@t-systems.com wrote: > a...@ice-sa.com wrote: >> alexander.elg...@t-systems.com wrote: >>> Hello, >>> >>> I am looking for a way to retrieve the AUTH password, without using >>> mod_rewrite ... >> I'd be interested in how you would do it, using mod_rewrite. >> For my personal education.. > > mod_rewrite is really powerful, you are able to pass any header information > to any output. > I just tried the following rule, it just appends the header to the GET > Request. > > RewriteEngine On > RewriteRule (.*) $1?HTTP_Authorization=%{HTTP:Authorization} [PT] > > Or pass it to ENV: > RewriteRule / - [PT,E=HTTP_Authorization:%{HTTP:Authorization}] > > http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html > > In PHP you just need a single line to decode it: > var_dump(base64_decode(str_replace('Basic ', '', > $_REQUEST['HTTP_Authorization']))); > > var_dump(base64_decode(str_replace('Basic ', '', > $_SERVER['HTTP_Authorization']))); > > And please do not talk about security, it is just base64, if there is no SSL, > anyone in the middle is able to read the password. > I gather that this is a very indirect response to my question : you are talking about HTTP Basic Authentication. And without SSL, so this is a very insecure environment (but we did not know that before). In that case - one among many possibilities, which is why I was asking - indeed the password is "encrypted" (so to speak) and sent over the network as part of the HTTP "Authorization" header. And I gather - which you also did not say - that this is a cgi-bin script, not a mod_perl module. So indeed it has a cgi-bin "environment" available to it. (This is a mod_perl support list, so it is kind of expected that people come here to ask mod_perl-specific questions, unless they say otherwise). So now, about your initial question, does your webserver include mod_perl, and is your perl cgi-bin script running under mod_perl ? I am asking because you did not say, and because the response to your question is different, depending on your environment. Basically : - if you are not running under mod_perl, as a simple cgi-bin perl script, then you will also need mod_rewrite, and code similar to what you show above for PHP. - if you are running under mod_perl, then your script would have access to some deeper things within Apache httpd, and you could do this without mod_rewrite. And there is a side question too, just by curiosity : if this is such an insecure environment, why do you bother encrypting the response (using the user's password which everyone can get at anyway) ? And if this is running under SSL, then also why bother encrypting the response ?