Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I make sure AuthName works in all browsers?

Tags:

google-chrome

apache

.htaccess

.htpasswd

The code below appears to show the text "HELLO WORLD" just fine in Firefox, IE, Safari, but not in Chrome.

<Files wp-login.php>
AuthType basic
AuthName "HELLO WORLD"
AuthBasicProvider file
AuthUserFile /home/.htpasswd
Require valid-user
</Files>
ErrorDocument 401 "Authentication required"

How can I make sure AuthName works in all browsers?

like image 362
IMB Avatar asked Mar 17 '16 15:03

IMB

People also ask

What tells Apache which file to use to find the user accounts and passwords?

We will use the htpasswd utility provided in the core Apache package. The password file can be stored anywhere on your hard drive. In our example we will create our htpasswd file in /etc/htpasswd. Note that the location of the htpasswd file can be anywhere you want on your local drive.

Is Apache authentication secure?

Apache supports one other authentication method: AuthType Digest . This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.

How do I password protect Apache with basic authentication?

The htpasswd command will allow us to create a password file that Apache can use to authenticate users. We will create a hidden file for this purpose called . htpasswd within our /etc/apache2 configuration directory. The first time we use this utility, we need to add the -c option to create the specified passwdfile.

1 Answers

The AuthName directive sets the realm parameter in the corresponding header, something like:

WWW-Authenticate: Basic realm="HELLO WORLD"

I found a Chromium ticket from October 2015 that reports a man in the middle attack related to HTTP authentication: Issue 544244 - HTTP basic auth credentials prompt should make the origin stand out more. During the discussion it was pointed out that text in realm can not be trusted and can be used in phishing attacks to trick users into revealing passwords to third-parties. I'm not a security expert but I understand that a proxy can inject headers —and usually does— thus the issue.

Apparent, the realm was removed form the authentication dialogue as a result of this and changes were eventually ported to Chrome. You can see the Do not show untrustworthy strings in the basic auth dialog code review for further details.

like image 128
Álvaro González Avatar answered Sep 18 '22 18:09

Álvaro González
Sign in to Comment

Related questions

The ideal multi-server LAMP environment
How do I troubleshoot why my rewrite rules aren't being applied by apache?
What is the best way to do server-side output caching in PHP?
Should I use the java.net or org.apache.http library for HTTP in my Java application?
Permission denied when trying to write to file from a view
How to Read Chunked Data from Phone Gap File Upload in Android
Concurrent connections with Apache coming from same client
Configuring external access to XAMPP
Apache 413 Request Entity Too Large with large string
How to check which Python interpreter is used to run WSGI scripts in apache2?
PHP on Tomcat 8
Error HttpClient cannot be resolved to a type
Curl hangs my apache server when doing POST to https
Unable to create the cache directory (/vagrant/app/cache/dev)
Solr issue: ClusterState says we are the leader, but locally we don't think so
What does % (percent sign) do in Apache's httpd.conf?
Undestanding how secure/httponly cookie works for java applications
run multiple django project in different virtualenv on apache
Node js- Application Without port Number
Getting VHosts working with EasyPHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!