httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <>
Subject Re: [users@httpd] Custom http auth
Date Wed, 08 Apr 2009 13:13:38 GMT
On Wed, Apr 8, 2009 at 9:04 AM, Tom Evans <> wrote:
> On Wed, 2009-04-08 at 14:43 +0200, wrote:
>> Hello List,
>> is there a way to build or code or make  a custom HTTP Auth? The plain
>> htaccess one looks ugly and has not all the features that i want.
>> Are there any alternatives?
>> Cheers,
>> Mario
> Tom

The way the auth looks is determined by your browser. The Apache
server just tells the browser that a certain kind of auth is required,
and the browser does what ever it's programmer's told it to do to
satisfy that auth (e.g., presenting the user with a dialog box). If
you want pretty auth, your best bet is to implement it in your server
side scripting, but this is non-trivial if you want it to actually be
secure. Not that it's impractical to do, but there is more that needs
to go into it than a lot of web site designers seems to think.
Specifically, making sure a person's password is not visible in the
network traffic is key, and also making sure that the same submitted
login tokens are not valid more than once (even if encrypted, Mallory
can just resubmit the same encrypted values to hack in as a different
user). The most secure auth is always done over SSL.


Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message