Re: Need to upgrade password security

On 23 Oct, 01:18, Patrick Nolan <Patrick.No...@xxxxxxxxxxxx> wrote:
We're running Apache 2.2.3 on Linux. There is a rudimentary password
system in place using mod_auth_mysql and Basic authentication. I set
the passwords by hand. Now the boss wants something better. People
should be able to set their own passwords and change them. Of course,
a lot of people will forget their passwords, so we will need a mechanism
to reset the passwords and send the new ones.

I have outlined most of what's needed, but I'm stuck on a very early
step. I need to catch unsuccessful logins so I can offer to let
people reset their password. I thought I could do this with
Errordocument 401, but it doesn't work the way I want. If an invalid
password is entered, the browser just keeps asking again and again.
Only when I click the "cancel" button does the redirect happen.

Maybe I'm barking up the wrong tree here. Is there a way to do this
sort of thing with Apache? There are certainly lots of web sites
which handle invalid passwords in a more graceful manner.

I've never written any PHP or Javascript, but I'm experienced with CGI.

You can't fundamentally change the way the browser behaves from server
side (well, at least, you're not supposed to)

Unless you're running over SSL, relying on basic HTTP authentication
is rather a bad idea. Digest based authentication is a far better
solution. You can replace all the functionality of the mod_auth module
with a cgi / php script you could choose to redirect at the nth
attempt rather than simply returning a 401 response.

Alternatively, you could write your own authentication system which
would work like most web sites requiring authentication using a
conventional form for the login and sessions to maintain the auth
token - but this then requires you to wrap every protected URL in your
own code to ensure access control is applied. There is at least one
project which pushes authorization back to the webserver but
implements authentication in customer CGI/PHP - http://authmemcookie.sourceforge.net/
have a google for "apache authentication cookie" for more hints.

HTH

C.

.