Basic authentication and KB832894

Re: Basic authentication and KB832894

tito wrote:[color=blue]
> Hi,
>
> After applying "Cumulative Security Update for Internet Explorer
> (832894)":
>
> http://www.microsoft.com/technet/tre...n/ms04-004.asp
>
> i am no longer able to authenticate users using this type of url:
>
> https://un:pass@www.blahblah.xyz
>
> Reason for specifying un and pass in url is to stop transmitting
> basic authentication in clear text but through https.
> Code looks like:
>
> <?
> if ($HTTP_SERVER_V ARS['HTTPS'] != 'on'){die("You must use HTTPS!");}
>
> $un = $HTTP_POST_VARS['un'];
> $pass = $HTTP_POST_VARS['pass'];
> print ( "<META HTTP-EQUIV=\"Refresh \" CONTENT=\"0; URL=https://" .$un.
> ":" .$pass. "@www.blahblah. xyz/~" .$un. "/page.php\">");
> ?>
>
> How can I do this in a different way?
>
> Thanks in advance.
> Tito[/color]

Errr, I'm no expert on https but I was under the impression that
everything that goes to the web server using the https protocol is
encrypted, it's not just for the username and password.

~Cameron

Re: Basic authentication and KB832894

On 2004-02-03 04:02:47 -0800, Cameron <foo@bar.invali d> said:

You are correct. If SSL is being used for the connection then the
username/password is not transmitted in the clear, even with the prompt.
Entering your URL in that manner will only tell IE to use that info instead
of prompting for it.

--
AJ Zmudosky
There are no stupid questions, but there are a LOT of inquisitive idiots.

Re: Basic authentication and KB832894

That's true.
But if client request page through HTTP he is prompted for un and pass
and it
goes in clear text. I am not in situation to change apache
configuration file to rewrite HTTP to HTTPS.