Forum Moderators: coopster
Anyone who writes a page on the server can in theory grab anyones password.
I am using the apache module SSPI to validate users against windows, if they get hold of this password they can have full access to windows.
I have checked the $_SERVER values and [AUTH_TYPE] is set to NTLM. Having looked at the manual the PW should not be set as a variable if using an external mechanism.
Is my method traditional?
Will I have to run PHP in safe mode? What are the disadvantages? Is there an alternative to unset this variable or encrypt it?
Thank you for reading.
As of PHP 4.3.0, in order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page and safe mode is enabled. Regardless, REMOTE_USER can be used to identify the externally-authenticated user. So, you can use $_SERVER['REMOTE_USER'].Note: Configuration Note PHP uses the presence of an AuthType directive to determine whether external authentication is in effect.
Why would you let people write scripts on your server in the first place? There are other security issues involved other than grabbing the value of this predefined variable that you should be worried about in this case.
>> Will I have to run PHP in safe mode?
Probably, according to the quote you gave us. The disadvantages lie within its restrictions: [php.net...]
Sorry I cannot provide additional information regarding your issue. Maybe someone else here has experienced something similar.
And Welcome to WebmasterWorld! :)
