Re: A more secure form of .htaccess?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> I am wondering if any of you have had similar problems. What is a more
> secure way for people to login? Is SSL an option, and if so, how do I
> go about using it? Do I have to purchase a certificate? Or is there
> some other option? Finally, should I be using .htaccess at all, or is
> there a better way? Thank you in advance for your advice.
You will run into this problem with just about all forms of authentication.
You *can* generate a self signed certificate for free, however, most web
browsers will pop up a warning saying the certificate cannot be verified. If
you had some way of forcing all browsers in the building to accept it, then
no one would be any the wiser. There is a HOWTO on Apache and SSL that
explains how to do this.
The .htaccess method is not a terrible method, assuming people dont have
general access to the files (they are on a server they dont have access to,
or permissions on the files are set up so that no one has access to them).
Some say this is a better method than using generated forms, because of its
ease of administration, however the problem is with logging out. The
authentication method has no way of really logging out, and there is not a
real standard. Most (but not all) browsers will reset authentication when
they reach a 404 in the realm they are logged in to. So it depends on the
application.
Jay
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8xHHlkrX4GRLrvwgRAsyzAKCJMlW2Nfzlu0SslJtIiX5OxVzTsQCdEASJ
5Av1BlRsHsJQLC5xVC2Ffz0=
=fquZ
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: