Re: [users@httpd] Basic Authentication question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanx...I used ethereal to see the flow of data between browser and
server...one point though...I was able to see my password in clear text in
ethereal. So it is possible that it could be open to the public ??

Anand
----- Original Message ----- 
From: "Boyle Owen" <Owen.Boyle@xxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Thursday, May 12, 2005 1:37 PM
Subject: RE: [users@httpd] Basic Authentication question


> -----Original Message-----
> From: K Anand [mailto:kanand@xxxxxxxxxxxxxx]
> Sent: Donnerstag, 12. Mai 2005 05:52
> To: users@xxxxxxxxxxxxxxxx
> Subject: Re: [users@httpd] Basic Authentication question
>
>
> you didn't understand what I was asking...The config I have
> included is
> working ..I have used htpasswd and everything is working
> fine....All I want
> to know is how does  apache  know that I have already
> authenticated or not ?

The first time the client requests a resource in a protected realm, it
doesn't know it is protected so makes a plain request. The server responds
with a 401 Unauthorized. The client then pops up a password window and
captures the username/password (aka, the credentials). The client repeats
the request but this time adds an Authorization header containing the
credentials. The server gets the request and verifies the credentials, if
OK, it serves the resource. The client caches the credentials and for all
subsequent requests in the same realm, it adds the same Authorization
header - that's how you stay "logged in".

That's also how it is really hard to get the browser to "forget" your
password - even if you surf off to a different site and come back a day
later, it'll remember your credentials and send them off again.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
>
> Anand
>
> ----- Original Message ----- 
> From: "Chris Winfield-Blum" <chris@xxxxxxxxxxxxxxx>
> To: <users@xxxxxxxxxxxxxxxx>
> Sent: Thursday, May 12, 2005 9:14 AM
> Subject: Re: [users@httpd] Basic Authentication question
>
>
> > you will have to use the htpasswd tools located in your
> apache bin to
> > create the password file. then you point that directory to
> that file: ie:
> >
> > /etc/httpd/conf/passwd/passwords
> >
> > This should do that you need :)
> >
> > K Anand said the following:
> >
> > >Hi all,
> > >
> > >I have a very basic question regarding authentication on
> apache...I have
> in
> > >my httpd.conf a section like below :
> > ><Directory "/var/www/cgi-bin">
> > >    AuthType Basic
> > >    AuthName "By Invitaion Only"
> > >    AuthUserFile /etc/httpd/conf/passwd/passwords
> > >    Require valid-user
> > >
> > >    AllowOverride None
> > >    Options ExecCGI
> > >    Order allow,deny
> > >    Allow from all
> > ></Directory>
> > >
> > >So whenever a browser first sends a cgi-bin request,
> authentication is
> done
> > >by userid and password...Whenever subsequent requests come
> for cgi-bin,
> > >authentication is not required provided the browser has
> not been closed.
> How
> > >is this done ?
> > >
> > >I know that this is not a problem but I would like to know
> just for my
> > >information.
> > >
> > >Thanx
> > >Anand
> > >
> > >
> >
> >---------------------------------------------------------------------
> > >The official User-To-User support forum of the Apache HTTP Server
> Project.
> > >See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > >   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > >
> > >
> > >
> > >
> >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>


This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system.
Please also immediately destroy any hardcopies of the message. You must not,
directly or indirectly, use, disclose, distribute, print, or copy any part
of this message if you are not the intended recipient. The sender's company
reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is
authorised to state them to be the views of the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux