[Nottingham] Password Protecting scripts on a webserver
Penfold
penfoldq at penfoldq.co.uk
Thu May 31 19:41:25 BST 2007
On Thu, May 31, 2007 at 03:46:31PM +0100, Chris Burton wrote:
> >Any suggestions?
> I would say use basic auth over https with a self signed cert but I guess
> that's out the window since basic auth has "huge security flaws".
>
> ChrisB.
Hmmm. thanks for the idea... perhaps I was over-engineering the problem.
The "huge security flaws" are basically things like every request
containing the plaintext authentication data that can be easily sniffed
and no protection against brute force attacks.
For the benefit of the archives, here is my full solution I am happy
with (after further reading on the matter)
If I simply use a mod_rewrite to force a subdirectory to be ssl only
and with http basic auth, that should be enough to stop casual
miscreants. If I also use digest auth rather than basic auth, that
should prevent the password being sent in an easily reversible encoding
in the first place... together I should have a pretty strong
authentication.
With the addition of another module BruteWatch, I can keep track
of any attempts to obtain valid credentials by a brute force attack and
take appropriate action.
As always, !Lug gives me a simple answer to a problem I had overthought.
Thanks!
-Penfold
More information about the Nottingham
mailing list