[LUAU] apache security question
Tom Gordon
memeyou at memeyou.net
Tue Feb 8 14:04:38 PST 2005
Charles Lockhart wrote:
> So, we have a script or something that every time you create a
> directory in that secure directory, the script adds an .htaccess file,
> and the .htaccess file is used to enforce privacy, requiring a
> username and password to log in. I'm told that this should be secure
> enough to keep people from accessing the private area, and to prevent
> information from turning up on Google + etc.
>
> So my question is, is that correct? I have no webmaster experience,
> and very limited privacy/security experience, so I'm not setting that
> up, our network admin is, but I figured I'd get a second (third,
> fourth, fifth...) opinion.
>
HTTP Auth should be enough for a wiki. I don't know anything about your
particular wiki, soconsider the flaw of HTTP Auth for yourself. The
session is handled entirely on the client-side (no specification for
"logging off"). And the authetication can be passed in the URI/REFERER
stings. A funky browser behavior could, in turn send this kind of info
to a foreign entity (google, etc). But I may just be paranoid.
Tom
More information about the LUAU
mailing list