Justin,
> I can't see a problem with it IMHO, apart from Fergal's point -- it's
> restricted in how you look up the username/paswords on the server.
>> Also there's a minor point of how pretty the auth dialog is; some sites
> would prefer a nice-looking web page I guess.
>> Also it generally requires mucking about with .htaccess or /etc/httpd/conf
> files, which a lot of sites don't like doing -- or maybe their hosting
> companies don't let them do?
>Well, the dialog/passwd/htaccess/conf are all optional with with PHP, because
it's hooked directly into Apache. But only with mod_php. I guess it's just a
toss-up between security and compatibility.
> You should always check HTTP_REFERRER from now on, there's been a spate of
> possible attacks discussed recently involving:
>I check it anyway, but I hadn't thought of tying it into the auth code. If it
can be spoofed though, it's still not as secure as I'd like.
Thanks,
adam
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
