> -----Original Message----- > From: K Anand [mailto:[EMAIL PROTECTED] > Sent: Donnerstag, 12. Mai 2005 10:46 > To: users@httpd.apache.org > Subject: Re: [EMAIL PROTECTED] Basic Authentication question > > > Thanx...I used ethereal to see the flow of data between browser and > server...one point though...I was able to see my password in > clear text in > ethereal. So it is possible that it could be open to the public ??
Of course. What made you think it might be secure? If you want to hide the PW, you have to use HTTPS. However, be aware that Basic authentication is not very secure anyway (see http://httpd.apache.org/docs/howto/auth.html#basiccaveat) Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > > Anand > ----- Original Message ----- > From: "Boyle Owen" <[EMAIL PROTECTED]> > To: <users@httpd.apache.org> > Sent: Thursday, May 12, 2005 1:37 PM > Subject: RE: [EMAIL PROTECTED] Basic Authentication question > > > > -----Original Message----- > > From: K Anand [mailto:[EMAIL PROTECTED] > > Sent: Donnerstag, 12. Mai 2005 05:52 > > To: users@httpd.apache.org > > Subject: Re: [EMAIL PROTECTED] Basic Authentication question > > > > > > you didn't understand what I was asking...The config I have > > included is > > working ..I have used htpasswd and everything is working > > fine....All I want > > to know is how does apache know that I have already > > authenticated or not ? > > The first time the client requests a resource in a protected realm, it > doesn't know it is protected so makes a plain request. The > server responds > with a 401 Unauthorized. The client then pops up a password window and > captures the username/password (aka, the credentials). The > client repeats > the request but this time adds an Authorization header containing the > credentials. The server gets the request and verifies the > credentials, if > OK, it serves the resource. The client caches the credentials > and for all > subsequent requests in the same realm, it adds the same Authorization > header - that's how you stay "logged in". > > That's also how it is really hard to get the browser to "forget" your > password - even if you surf off to a different site and come > back a day > later, it'll remember your credentials and send them off again. > > Rgds, > Owen Boyle > Disclaimer: Any disclaimer attached to this message may be ignored. > > > > Anand > > > > ----- Original Message ----- > > From: "Chris Winfield-Blum" <[EMAIL PROTECTED]> > > To: <users@httpd.apache.org> > > Sent: Thursday, May 12, 2005 9:14 AM > > Subject: Re: [EMAIL PROTECTED] Basic Authentication question > > > > > > > you will have to use the htpasswd tools located in your > > apache bin to > > > create the password file. then you point that directory to > > that file: ie: > > > > > > /etc/httpd/conf/passwd/passwords > > > > > > This should do that you need :) > > > > > > K Anand said the following: > > > > > > >Hi all, > > > > > > > >I have a very basic question regarding authentication on > > apache...I have > > in > > > >my httpd.conf a section like below : > > > ><Directory "/var/www/cgi-bin"> > > > > AuthType Basic > > > > AuthName "By Invitaion Only" > > > > AuthUserFile /etc/httpd/conf/passwd/passwords > > > > Require valid-user > > > > > > > > AllowOverride None > > > > Options ExecCGI > > > > Order allow,deny > > > > Allow from all > > > ></Directory> > > > > > > > >So whenever a browser first sends a cgi-bin request, > > authentication is > > done > > > >by userid and password...Whenever subsequent requests come > > for cgi-bin, > > > >authentication is not required provided the browser has > > not been closed. > > How > > > >is this done ? > > > > > > > >I know that this is not a problem but I would like to know > > just for my > > > >information. > > > > > > > >Thanx > > > >Anand > > > > > > > > > > > > > > >--------------------------------------------------------------------- > > > >The official User-To-User support forum of the Apache HTTP Server > > Project. > > > >See <URL:http://httpd.apache.org/userslist.html> for more info. > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > " from the digest: [EMAIL PROTECTED] > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > The official User-To-User support forum of the Apache HTTP > > Server Project. > > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > " from the digest: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP > > Server Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > " from the digest: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any > mistransmission. If > you receive this message in error, please notify the sender > urgently and > then immediately delete the message and any copies of it from > your system. > Please also immediately destroy any hardcopies of the > message. You must not, > directly or indirectly, use, disclose, distribute, print, or > copy any part > of this message if you are not the intended recipient. The > sender's company > reserves the right to monitor all e-mail communications through their > networks. Any views expressed in this message are those of > the individual > sender, except where the message states otherwise and the sender is > authorised to state them to be the views of the sender's company. > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
