httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Owen Boyle <>
Subject Re: htpasswd and different kinds of encryption
Date Tue, 08 Jan 2002 11:50:11 GMT
"TD - Sales International Holland B.V." wrote:
> Could you please give me some starting hints on how to lock an account after
> 3 times trying the wrong password? I work with .htaccess/.htpasswd files and
> haven't seen anything like that option in the docs etc.

You'd have to make a CGI script to handle this. The remote user's name
is available in the environment variable REMOTE_USER so you could keep a
count of times that user fails login (or if you check in the error_log,
you always get a message; "user joe: authentication failure.." when a
login fails). Then you could remove his entry from the password file.

However, at the browser end, you wouldn't get a message "Sorry your 3
tries are up" - you'd just get "retry" forever.

> ... so I'm really weary (is that the word? :-))

Probably "wary" (careful) - although you might be "weary" (tired) too

> One other thing I'm
> worried about is browser cache (not to mention the remembering of
> username's/passwords. I have a password protected directory at home and if my
> IE remembers the username/password I don't even see it's a password protected
> part it just logs in BAD BAD BAD lousy security)..... You have to close the
> browser for it to forget the password. Now people could log in and after that
> go to some other site. (say some news site or something). Thinking there's no
> security issue here they just leave the browser open and next day someone
> comes by but he/she can access or password protected site without problems
> since it's still in the cache as long as he/she doesn't close the browser. I
> consider this a huge security "flaw" as well as the remembering. Any ways to
> eliminate these security issues?

If you log in to your unix station, do a bit of work then go for a
coffee, when you come back and find you're still logged in, do you
consider that a huge security flaw? Maybe you do, but it's the same
thing. You provide the locking the mechanism but you have no control
over how a user uses it. If someone wants to leave themself logged in
you can't stop it.

Remember that the way HTTP works: every request for a page is a separate
transaction and each one causes the server to send a 401 "authorisation
required" message. So the browser MUST cache the user/pass or it would
have to prompt the user for a password on every link and on every image

Anyway, if what your protecting is that secret - why put it on the web
at all? It is much more likely to be stolen by a network snooper than by
someone stealing a password from a browser cache. Don't worry about
other people reading the screen - that's like sending someone a book and
worrying about someone else reading it.


Owen Boyle.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message