Yes, thank for the responses and clarification. True the Basic Auth isn't really a login, as there is no logout per se.
One would suppose from the responses that using .htpasswd and Basic Auth is really a lousy approach to security, since an attacker can just wail away indefinitely trying repeatedly, unless one configured something like fail2ban to cut off repeated attempts. I was just looking to improve on that if possible. On Thu, 2011-10-06 at 22:54 +0200, Jeroen Geilman wrote: > On 2011-10-04 14:44, Neal Rhodes wrote: > > > We have bunches of web applications which use the regular Apache > > login protection, > > > Do you mean HTTP Basic Auth, as defined in RFC 2616 ? > > > > and they won't run unless REMOTE_USER is set by the Apache login. > > > > > > <Limit GET> > > require valid-user > > </Limit> > > > > <Limit POST PUT DELETE> > > require valid-user > > </Limit> > > > > AuthName O-Visitor > > AuthUserFile /usr/appl/cgi/.htpasswd > > > > AuthType Basic > > > > > > Yes, this is HTTP Basic AUTH. > It says so right there. > > > > > Looking at improving security, it would seem that it would be much > > harder to conduct brute-force attacks on these systems if we could > > configure Apache login to do two things: > > > You can't. > There is no "login", just an Authorization: header which has to be > sent for every page that requires it. > > > > A. Present the CAPTCHA style validation prompt as part of > > the login, to make it difficult for scripted attacks to > > proceed; > > B. Lockout an individual username in the .htpasswd file > > after X failed login attempts. > > > Actual login-ness (a state of logged in being different from a state > of not being logged in) must be achieved through non-HTTP means, > possibly supported by HTTP features such as cookies. > > > > -- > J.