At the HTTP layer, there is no such thing as a logged in user (stateless
protocol and all), so I assume you must be referring to application specific,
session based code. Consider this case:
Alice - user in group X, Z
Brian - user in group X, Y
Assume your server handles the
Maybe, I'm missing something. I was talking about needing to change apache,
but I decided to try something else.
I've got this:
FilesMatch .*[^(login.php|logout.php)]
AuthType Digest
AuthName account
AuthUserFile /home/path/public_html/account/.htpasswd
Require user admin
Correction:
The second time I try to access login.php, I get access. But, not when I
try to access the directory that also has the same require.
Michele
-Original Message-
From: Michele Waldman [mailto:mmwald...@nyc.rr.com]
Sent: Thursday, April 23, 2009 8:11 PM
To:
Am I mistaken in thinking I should not be logged in as admin? Or that
there
is someway to force this to happen?
This is just your browser using stored credentials. It doesn't know
the significance of your logout user.
--
Eric Covener
cove...@gmail.com
I know I'm not the only person in the world who wants Safari, Chrome and
other browsers to work with apache, htaccess digest and ajax.
But once out of an account, you can't get back in via these browsers.
Is it up to Safari and Browsers to execute some sort of logout like FF IE
or for the
A security issue in the handling of the Includes and IncludesNoExec
directives was reported recently, and I'm after some help.
The security issues are as follows:
a) If AllowOverride Options=IncludesNoEXEC is configured in
httpd.conf, a user can put Options Includes in an .htaccess
file
On Apr 22, 2009, at 5:16 AM, jean-frederic clere wrote:
Rainer Jung wrote:
On 20.04.2009 15:57, Jim Jagielski wrote:
On Apr 17, 2009, at 4:28 PM, Rainer Jung wrote:
The same type of balancing decision algorithm was part of mod_jk
between
1.2.7 and 1.2.15. I always had problems to
On Thu, Apr 23, 2009 at 8:31 AM, Joe Orton jor...@redhat.com wrote:
- if httpd.conf has Options Includes, and an .htaccess file has
Options +IncludesNoExec - should exec= be permitted in an SSI?
My (soft) preference would be exec= permitted and doc tweak to match
the notion of what Includes +
On Apr 23, 2009, at 8:45 AM, Jim Jagielski wrote:
+1... Maybe I'll branch off a 2.2-proxy branch as a sandbox to play
around in... Then we can front-port to trunk and use the sandbox as
the backport source :)
Just in case people didn't see it, I've created a branch
from 2.2.x as a place
On Thu, Apr 23, 2009 at 8:31 AM, Joe Orton jor...@redhat.com wrote:
These are fixable but one question is left on how a particular
combination of Includes and IncludesNoExec is interpreted:
- if httpd.conf has Options Includes, and an .htaccess file has
Options +IncludesNoExec - should
-Ursprüngliche Nachricht-
Von: Kaspar Brand
Gesendet: Mittwoch, 22. April 2009 09:12
An: dev@httpd.apache.org
Betreff: Re: SNI in 2.2.x (Re: Time for 2.2.10?)
Ruediger Pluem wrote:
the next configuration *can* do security harm:
VirtualHost foo.example.com:443
Joe Orton wrote:
These are fixable but one question is left on how a particular
combination of Includes and IncludesNoExec is interpreted:
- if httpd.conf has Options Includes, and an .htaccess file has
Options +IncludesNoExec - should exec= be permitted in an SSI?
I can argue this
On 04/23/2009 02:31 PM, Joe Orton wrote:
A security issue in the handling of the Includes and IncludesNoExec
directives was reported recently, and I'm after some help.
The security issues are as follows:
a) If AllowOverride Options=IncludesNoEXEC is configured in
httpd.conf, a user
On 04/23/2009 02:31 PM, Joe Orton wrote:
I've attached the patch I'm using for testing; results are up here:
Is it the same one you posted on secur...@httpd.apache.org?
Regards
Rüdiger
While shutting down apache on a windows server with debug libraries, the
underlying os libraries were complaining about the double free of a block of
memory.
It appears that when ap_proxy_add_worker_to_balancer(apr_pool_t *pool,
proxy_balancer *balancer, proxy_worker *worker) is
Plüm, Rüdiger, VF-Group wrote:
As I said further down below I see also good and valid use cases for the
combination
SSLVerifyClient optional
and
%{SSL_CLIENT_VERIFY}
And this combination should be safe even if this comes at the price that
some configuration are not possible without SNI. But
16 matches
Mail list logo
