How does .htaccess remember passwords?

Forum Moderators: phranque

Message Too Old, No Replies

How does .htaccess remember passwords?

Can't find a cookie, seems like voodoo

MichaelBluejay

6:25 pm on Jun 9, 2004 (gmt 0)

So I set up the .htaccess/.htpasswd combo to password-protect a directory, and it works great What puzzles me is: How does the server remember that the user entered a password? I mean, if I go to a page, enter the password, then close the browser window and type in another page in the same protected directory, the server lets me in without asking for my password again. How does it know I already entered my password? I can't find any cookie that's been set, and there's nothing obvious in the password-protected directory. Is the server recording my IP on the server somewhere?

Signed,

Interested in Security

dcrombie

7:48 pm on Jun 9, 2004 (gmt 0)

Your browser is doing the work. Passwords are sent to the server on every page request to that site after you've been authenticated. Transmission is plain text so can be intercepted unless you use https.

MichaelBluejay

12:14 am on Jun 10, 2004 (gmt 0)

The browser stores it in memory, not in a cookie? That's interesting -- I didn't know that browsers could remember user data like that.

I guess this means that if you exit the browser then it's gonna forget the password....

dcrombie

8:33 am on Jun 10, 2004 (gmt 0)

Sometimes that's the only way to log out ;)

Leosghost

8:47 am on Jun 10, 2004 (gmt 0)

I didn't know that browsers could remember user data like that.

How do you think it remembers what are visited links even when you have cleared temporary internet files or whatever (depending your browser)..
This is why the damn things are so dangerous as they have access and influence over many areas of your Os that you may not ba aware of at the time ..Specially the Redmond variants of the animal..

gergoe

12:40 pm on Jun 10, 2004 (gmt 0)

This behavior is the recommended according to the http/1.x rfc. Every time you access a resource in a password protected area the browser must send the credentials always, otherwise the access will not be granted. So once you authenticated yourself for a certain area, then whenever you request a resource in the same area the browser first sends the last used credentials (as long as the (browser) session is not broken) together with the request. This is not for collecting any information about you, and not about the privacy policy of any organization (even not the one from Redmond), this is only for your convenience, to save you the typing of your username and password for every single image, css file, or whatever elements you can have on one single page.

encyclo

1:23 pm on Jun 10, 2004 (gmt 0)

Interested in Security

You might want to check out the excellent Apache documentation on this topic, especially the security caveat:

[httpd.apache.org...]
[httpd.apache.org...]

As they say:

Basic authentication should not be considered secure for any particularly rigorous definition of secure.

Passwords are sent as plaintext, so anyone who wanted to break in just needs to listen to the traffic and they're in. If you need real security, then you need a scripting language, perhaps a database, a https cert and all the rest of it. Basic authentication is only good for resouces of little value.

MichaelBluejay

8:42 pm on Jun 15, 2004 (gmt 0)

Thanks very much for the responses, especially encyclo -- this is all yummy good stuff.

py9jmas

8:53 pm on Jun 15, 2004 (gmt 0)

If you need real security, then you need a scripting language, perhaps a database, a https cert and all the rest of it. Basic authentication is only good for resouces of little value.

How is using a scripting langauge and database and encrypting the connection with SSL any more secure than using Basic auth over SSL?