I hope I got the email correct. I'm trying to post to the mailing list.
I want to do the following in htaccess for account security: <FilesMatch ".*[^(wp_login.php|logout.php)]"> SetEnvIf Authorization "^(.*)Account(.*)$" logged_in Order Allow,Deny Allow from env=logged_in </FilesMatch> <Files wp_login.php> AuthType Basic AuthName "Account" require group account </Files> <Files logout.php> AuthType Basic AuthName "Leave" require group leave </Files> Basic authentication doesn't "remember" the authtype, but Digest does. Cookies are too insecure because they are readily editable. I'm connecting over a secure certificate. I believe a user could possible telnet and send an authorization header? I want to know the risk of them getting or guessing the right AuthType under these circumstances. How vulnerable is the request authorization header? Also, it seems to me I could rewrite mod_auth_digest to use mysql by modifying the code recompiling and linking in the new object. I haven't tried it yet, so I don't know the obstacles. I'd like to know if this is a worthwhile endeavor first and how much of a security risk will be introduced. The point of this is to avoid the ugly popus that require authentication causes. Does anyone have any suggestions on a better approach? Michele
