[Nottingham] Password Protecting scripts on a webserver

Penfold penfoldq at penfoldq.co.uk
Thu May 31 19:41:25 BST 2007

On Thu, May 31, 2007 at 03:46:31PM +0100, Chris Burton wrote:
> >Any suggestions?
> I would say use basic auth over https with a self signed cert but I guess 
> that's out the window since basic auth has "huge security flaws".
> ChrisB. 

Hmmm. thanks for the idea... perhaps I was over-engineering the problem.

The "huge security flaws" are basically things like every request 
containing the plaintext authentication data that can be easily sniffed 
and no protection against brute force attacks.

For the benefit of the archives, here is my full solution I am happy 
with (after further reading on the matter)

If I simply use a mod_rewrite to force a subdirectory to be ssl only 
and with http basic auth, that should be enough to stop casual 
miscreants. If I also use digest auth rather than basic auth, that 
should prevent the password being sent in an easily reversible encoding 
in the first place... together I should have a pretty strong 

With the addition of another module BruteWatch, I can keep track 
of any attempts to obtain valid credentials by a brute force attack and 
take appropriate action. 

As always, !Lug gives me a simple answer to a problem I had overthought.




More information about the Nottingham mailing list