[users@httpd] Apache Authentication and PHP

[Nick Cooper <ni...@jdi-solutions.co.uk>]

Hi,

Apache user authentication results in two variables when used with PHP:
$_SERVER[PHP_AUTH_USER] and $_SERVER[PHP_AUTH_PW].

I'm using the SSPI module to validate users against windows this results in
the users windows password being non encrypted and exposed to PHP, is there
any config setting to encrypt this password so it is not directly accessible
to PHP?

I know the password isn't displayed after the PHP is processed but often
$_SERVER is dumped to the PHP logs on a error. Password which should be
secure have now got a chance of getting in to the wrong hands.

Nick