You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by dan <in...@hostinthebox.net> on 2005/03/21 21:09:59 UTC
[users@httpd] Anti-password trading/sharing utilities
Hello, all -
I have a number of Web sites that use a membership-based access system,
using plain HTTP Auth. I know we've all used this type of protection in
the past, so I thought I'd ask some questions about it.
For the last few weeks, I have been giving a considerable amount of time
into the research and development of a script written in PHP to combat
the use of stolen, traded, or otherwise unauthorized passwords. The
idea is, make the system only allow one instance of said user/password
combination, without disrupting normal business. I am, however, still
open to suggestions before this is even complete.
There are a number of commercial products out there that work wonders,
most notably ProxyPass. There's also one called iProtect, which I am
not too fond of. These are actually Apache modules that utilize a
number of techniques to ensure that only authorized hosts have access to
a particular Web site based on a number of metrics including IP
addresses, cookies, and timing.
I am looking for a similar utility, that will help combat the use of
stolen, traded, or otherwise unauthorized passwords. I am hoping that
some of you have had experience with this sort of problem in the past,
if you've dealt with Web sites with a considerably large userbase that
uses HTTP Auth. The solution that I am ultimately looking for will be
Open Source, so that it can be modified with the author's permission, it
will be safe, fast, and overall secure. However, it cannot be a
"gateway" solution that would require a Webmaster to move or remove
content, pages, or the like. With this in mind, the solution would
preferrably be an Apache module.
Anyway, I thought I'd send this email out to as the group as a whole. I
think that this area of security is not very well controlled, and with a
little bit of brainstorming, we might be able to put some more control
back in it.
Thanks again for the time
-dant
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org