You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by dan <in...@hostinthebox.net> on 2005/03/21 21:09:59 UTC

[users@httpd] Anti-password trading/sharing utilities

Hello, all -

I have a number of Web sites that use a membership-based access system, 
using plain HTTP Auth.  I know we've all used this type of protection in 
the past, so I thought I'd ask some questions about it.

For the last few weeks, I have been giving a considerable amount of time 
into the research and development of a script written in PHP to combat 
the use of stolen, traded, or otherwise unauthorized passwords.  The 
idea is, make the system only allow one instance of said user/password 
combination, without disrupting normal business.  I am, however, still 
open to suggestions before this is even complete.

There are a number of commercial products out there that work wonders, 
most notably ProxyPass.   There's also one called iProtect, which I am 
not too fond of.  These are actually Apache modules that utilize a 
number of techniques to ensure that only authorized hosts have access to 
a particular Web site based on a number of metrics including IP 
addresses, cookies, and timing.

I am looking for a similar utility, that will help combat the use of 
stolen, traded, or otherwise unauthorized passwords.  I am hoping that 
some of you have had experience with this sort of problem in the past, 
if you've dealt with Web sites with a considerably large userbase that 
uses HTTP Auth.  The solution that I am ultimately looking for will be 
Open Source, so that it can be modified with the author's permission, it 
will be safe, fast, and overall secure.  However, it cannot be a 
"gateway" solution that would require a Webmaster to move or remove 
content, pages, or the like.  With this in mind, the solution would 
preferrably be an Apache module.

Anyway, I thought I'd send this email out to as the group as a whole.  I 
think that this area of security is not very well controlled, and with a 
little bit of brainstorming, we might be able to put some more control 
back in it.

Thanks again for the time
-dant	

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org