Re: Security issues

Just a crazy thought...
But, what about programmatically changing the .htpasswd file?

If when some one logs in you change the .htpasswd file to require an unknown (to the users) username:password combination, that should prevent users from accessing html pages in the .htaccess folder. Then when that person logs out the .htpasswd file is returned to a known username:password.

This might work in some limited sense.
But you'll have to seriously address PWS's question: "What do you intend to do if someone leaves without logging out?"

Claude

Comment on Re: Security issues

Replies are listed 'Best First'.
Re: Re: Security issues by perigeeV (Hermit) on May 29, 2001 at 14:09 UTC
Yeah, that was my thought too, but the problem is file locking. Apache isn't going to honor any lock you put on the file, so with multiple httpd's hitting that .htaccess your definately going to get a mangled read somewhere along the line. Update: That would be a cool Apache module wouldn't it? mod_dynamic_htaccess.	[reply]
Re: Re: Re: Security issues by Stamp_Guy (Monk) on May 29, 2001 at 20:30 UTC
I really like this idea. Is there any way around that problem? If anyone has any ideas, I'm all ears!	[reply]
Re: Re: Re: Re: Security issues by Xxaxx (Monk) on May 31, 2001 at 03:47 UTC
The .htaccess protected dir would have to be a gateway into the scripts. Otherwise the "okayed" user would be rechallenged for password after the .htpasswd file change. At least that is how it worked in a very quick and dirty test I did. If the .htaccess protected dir was just used as a gateway, then you could handle filelocking and "who's on first" problems in the standard way -- vhat ever dat is. But for this to work all subsequent pages might need to be dynamically served through scripts. This might be made to function in a limited sense for special cases. Such as low load, and pages which can be served dynamically after authenticated entrance. For me when it starts to get this complicated I go back and ask myself: "Why did I want to make it one-at-a-time in the first place?" ;-) Claude	[reply]
Re: Re: Security issues by sierrathedog04 (Hermit) on May 29, 2001 at 20:58 UTC
This approach would probably not work. When using basic authentication, the browser caches the password and resends it every time the browser visits a new page. If you change the .htpasswd file then it could easily lock out a singleton user as well. Even if Apache Server caches its own copy of the password, my understanding is that a server can dump its cache. It is easier to ride the horse in the direction it is going, as Ken Kesey used to say. Basic authentication doesn't test for duplicate logins and convoluted hacks to get it to do so are not a fruitful path to pursue. Update: Another issue is that if Apache does cache the password then changing the .htpasswd file won't accomplish anything. Duplicate users will still be able to get in because Apache won't know that the .htpasswd file has been temporarily changed.	[reply]