Vulnerability Development mailing list archives

Re: remote_user and apache

From: Holger van Koll <holger () VANKOLL DE>
Date: Wed, 2 Aug 2000 20:03:01 +0200

David Augros wrote:


Sorry if this is offtopic, but I figure it's close enough to try.

Does anybody know how basic http auth is handled (in particular, by
apache)?

In short: If apache finds any instruction that the accessed page is
protected (f.e. a .htaccess file),
it asks for username/pwd for every request. The browser also sends it
every time again
(however it does only prompt you one time).

Specifically, I am interested in the env variable 'remote_user'

This variable is set by httpd , not sent by the browser (as most
others), so...

My interest is in whether the 'remote_user' variable is trustworthy

... it´s not easy to forge. A
http://somewhere/something.html?remote_user=bla won´t forge it.

I would trust it.

Current thread:

remote_user and apache David Augros (Aug 02)
- Re: remote_user and apache Holger van Koll (Aug 02)
- Re: remote_user and apache PCbob - Slobodan miskoviC (Aug 02)
- <Possible follow-ups>
- Re: remote_user and apache Benjamin Elijah Griffin (Aug 03)