Nick, No option that I am aware off - I think server variables could be left unregistered as a group within php.ini conf file which of course results in a functionality disaster. One way to deal with this is to recompile PHP and opt not to register PHP_AUTH_PW (in main/php_variables.c). I thought there might be a more friendly (Apache) approach to deal with this problem. Apparently authnz_ldap won't work with AuthType Digest either. -JE -----Original Message----- From: Nick Kew [mailto:nick@xxxxxxxxxxxx] Sent: 05 December 2008 20:30 To: users@xxxxxxxxxxxxxxxx Subject: Re: AuthType, Content hashing for LDAP On Fri, 5 Dec 2008 17:28:17 +0200 "Johnny Edge" <jedge@xxxxxxxxxxxxx> wrote: > Everything is fine and works as expected, however I much prefer to > have the 'Authorization: Basic YXBhY2hldXNlcjphcGFjaGVwYXNz' header > encrypted and not available to a var such as $_SERVER["PHP_AUTH_PW"] > in PHP while not harming the ldap functionality. Isn't there a PHP option to suppress that? With CGI the password is always withheld unless you compile with BIG_SECURITY_HOLE? You could use RequestHeader. > Do you reckon there is a work around for this, i.e. w/ mod Digest or > other means? That'll work around it too, to the extent that the credentials exposed to PHP will be of no use to a cracker. But better just to remove it, or replace it with a dummy value. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx