- From: Mike Meyer <mwm@contessa.phone.net>
- Date: Tue, 26 Mar 1996 20:40:17 PST
- To: www-talk@w3.org
> I've written CGI scripts which do Basic level authentication. The only > catch is that servers seem to keep HTTP_AUTHENTICATE to themselves and > not pass the variable on to the script, even if the server is not doing > authentication on that URL space. Unix servers that pretend to be secure SHOULD NOT pass authentication headers to CGI scripts via the environment. The username and password are trivially extracted from the contents of a basic authentication header. The environment of a Unix process is publicly available on most (all?) unix systems. Putting the authentication header in the environment lets other users of your Unix system grab username/password pairs if they want them. There doesn't seem to be a consensus on how this information is passed to CGI scripts in a secure manner; check your server docs to see what they did. If you really want to do this and source is available, it's probably pretty simple to find the code that prevents authentication headers from going into the environment and disable it. <mike
Received on Tuesday, 26 March 1996 23:47:07 UTC