Hi, Apache user authentication results in two variables when used with PHP: $_SERVER[PHP_AUTH_USER] and $_SERVER[PHP_AUTH_PW].
I'm using the SSPI module to validate users against windows this results in the users windows password being non encrypted and exposed to PHP, is there any config setting to encrypt this password so it is not directly accessible to PHP? I know the password isn't displayed after the PHP is processed but often $_SERVER is dumped to the PHP logs on a error. Password which should be secure have now got a chance of getting in to the wrong hands. Nick
