W3C home > Mailing lists > Public > www-talk@w3.org > March to April 1996

Re: custom authentication functions

From: Mike Meyer <mwm@contessa.phone.net>
Date: Tue, 26 Mar 1996 20:40:17 PST
Message-Id: <19960326.75B3598.12606@contessa.phone.net>
To: www-talk@w3.org
> I've written CGI scripts which do Basic level authentication.  The only
> catch is that servers seem to keep HTTP_AUTHENTICATE to themselves and
> not pass the variable on to the script, even if the server is not doing
> authentication on that URL space.

Unix servers that pretend to be secure SHOULD NOT pass authentication
headers to CGI scripts via the environment. The username and password
are trivially extracted from the contents of a basic authentication
header. The environment of a Unix process is publicly available on
most (all?) unix systems. Putting the authentication header in the
environment lets other users of your Unix system grab
username/password pairs if they want them.

There doesn't seem to be a consensus on how this information is passed
to CGI scripts in a secure manner; check your server docs to see what
they did. If you really want to do this and source is available, it's
probably pretty simple to find the code that prevents authentication
headers from going into the environment and disable it.

	<mike
Received on Tuesday, 26 March 1996 23:47:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:19 GMT