On Wed, Apr 8, 2009 at 9:04 AM, Tom Evans <tevans.uk@xxxxxxxxxxxxxx> wrote: > On Wed, 2009-04-08 at 14:43 +0200, ml@xxxxxxxxx wrote: >> Hello List, >> >> is there a way to build or code or make a custom HTTP Auth? The plain >> htaccess one looks ugly and has not all the features that i want. >> >> Are there any alternatives? >> >> Cheers, >> Mario >> > > http://httpd.apache.org/docs/2.2/howto/auth.html > > HTH > > Tom The way the auth looks is determined by your browser. The Apache server just tells the browser that a certain kind of auth is required, and the browser does what ever it's programmer's told it to do to satisfy that auth (e.g., presenting the user with a dialog box). If you want pretty auth, your best bet is to implement it in your server side scripting, but this is non-trivial if you want it to actually be secure. Not that it's impractical to do, but there is more that needs to go into it than a lot of web site designers seems to think. Specifically, making sure a person's password is not visible in the network traffic is key, and also making sure that the same submitted login tokens are not valid more than once (even if encrypted, Mallory can just resubmit the same encrypted values to hack in as a different user). The most secure auth is always done over SSL. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|