Re: Re: Calling script after htaccess authentification

Since I've seen warnings within the pages of Perlmonk that $ENV{'REMOTE_USER'} can be spoofed I'd rather not use that. And I don't believe it could answer the whole problem in any case.

I'm simply trying to find a means to avoid a double login process on a system which requires some directories be password protected using the standard htaccess authentification and some content be password protected through Perl scripts which then assemble dynamic reports to be sent to the browser.

If not for the fact that I've heard rumors from two different sources that this is possible without mod_perl I'd give up the quest and just force the users to live with the logging in twice problem.

If anyone knows for a fact that this is not possible I don't mind taking the bad news to my boss. I just don't want to be sitting there with egg on the face when somewhere out of the woodwork comes the news that it's easy if you just do .....

In any case, I hope that somewhere within these words I've clarified the point.

Claude

Comment on Re: Re: Calling script after htaccess authentification

Replies are listed 'Best First'.
Re: Re: Re: Calling script after htaccess authentification by IlyaM (Parson) on Jul 31, 2002 at 07:42 UTC
$ENV{'REMOTE_USER'} cannot be spoofed. It is environment variable which is set by Apache on the basis of authorization results. If your Apache configuration is secure you can trust it. -- Ilya Martynov (http://martynov.org/)	[reply]
Re: Re: Re: Re: Calling script after htaccess authentification by Xxaxx (Monk) on Jul 31, 2002 at 19:44 UTC
IlyaM, Thanks for the encouraging news. I did some checking based on your input and found that the spoofing of REMOTE_USER has to do with some scripts relying on globals from CGI rather than looking directly at the ENV hash. I don't pretend to know the innards of what that means. I do know that I use the ENV variables directly and based on your comment and what I could find it appears to be solid. Thanks Claude	[reply]