Vulnerability Development mailing list archives
Re: remote_user and apache
From: Holger van Koll <holger () VANKOLL DE>
Date: Wed, 2 Aug 2000 20:03:01 +0200
David Augros wrote:
Sorry if this is offtopic, but I figure it's close enough to try. Does anybody know how basic http auth is handled (in particular, by apache)?
In short: If apache finds any instruction that the accessed page is protected (f.e. a .htaccess file), it asks for username/pwd for every request. The browser also sends it every time again (however it does only prompt you one time).
Specifically, I am interested in the env variable 'remote_user'
This variable is set by httpd , not sent by the browser (as most others), so...
My interest is in whether the 'remote_user' variable is trustworthy
... it´s not easy to forge. A http://somewhere/something.html?remote_user=bla won´t forge it. I would trust it.
Current thread:
- remote_user and apache David Augros (Aug 02)
- Re: remote_user and apache Holger van Koll (Aug 02)
- Re: remote_user and apache PCbob - Slobodan miskoviC (Aug 02)
- <Possible follow-ups>
- Re: remote_user and apache Benjamin Elijah Griffin (Aug 03)