[LUAU] apache security question

Tom Gordon memeyou at memeyou.net
Tue Feb 8 14:04:38 PST 2005


Charles Lockhart wrote:

> So, we have a script or something that every time you create a 
> directory in that secure directory, the script adds an .htaccess file, 
> and the .htaccess file is used to enforce privacy, requiring a 
> username and password to log in.  I'm told that this should be secure 
> enough to keep people from accessing the private area, and to prevent 
> information from turning up on Google + etc.
>
> So my question is, is that correct?  I have no webmaster experience, 
> and very limited privacy/security experience, so I'm not setting that 
> up, our network admin is, but I figured I'd get a second (third, 
> fourth, fifth...) opinion.
>
HTTP Auth should be enough for a wiki.  I don't know anything about your 
particular wiki, soconsider the flaw of HTTP Auth for yourself.  The 
session is handled entirely on the client-side (no specification for 
"logging off").  And the authetication can be passed in the URI/REFERER 
stings.  A funky browser behavior could, in turn send this kind of info 
to a foreign entity (google, etc).  But I may just be paranoid.

Tom



More information about the LUAU mailing list