Timothy Wilson wrote:
Hi everyone,
Here's a quick security question. I'm using ZServer w/ Apache.
Someone pointed out to me today that it's possible to access a site like this:
http://username:password@mysite.com/
and the user is logged in automatically. Apparently there are cracking tools available that will attempt to guess passwords using this method thereby gaining access to the system.
Is there any easy fix for this?
Yes and no. This is no more or less secure than standard http authetication, which sends the username and password in clear text in the http request headers. It is just as easy to build a cracking tool that sends an http request with username/password guesses in it, as it is to build a tool that tells your browser to go to an url with username/password in it. If you really want secure authentication, use SSL or digest authentication, which forces you to use Apache and IE 5.0 until netscape supports digest auth. --sam