HTTP authentication
2006-11-20 7:00 pm
我想問下有冇人用過php既http authentication?? 想問下有乜方法可以clear 個authentication window(browser side) 既cache?? 佢每次login完之後都會記住0左個username同password,我想係logout後clear個cache,有冇辦法做到??
回答 (3)
2006-11-25 6:43 pm
✔ 最佳答案
佢個 cache 寫成一個 cookie,然後儲存在你的電腦內。
如你想刪除,可以到:
「網際網絡選項」,在中間「Temporary Internet Files」裡,
選擇「刪除 Cookie」,
咁就可以係logout後clear個cache。
2006-11-28 08:04:00 補充:
問題者所問的,是怎樣 clear個cache, 不是要http authentication 的歷史。樓下的那一位 herbertlee0427,請不要網上隨意 copy 一大堆無用的東西,誤導別人﹗
2006-11-28 5:32 pm
good
2006-11-28 10:20 am
In Basic HTTP Authentication, the password is passed over the network not encrypted but not as plain text -- it is "uuencoded." Anyone watching packet traffic on the network will not see the password in the clear, but the password will be easily decoded by anyone who happens to catch the right network packet.
So basically this method of authentication is roughly as safe as telnet-style username and password security -- if you trust your machine to be on the Internet, open to attempts to telnet in by anyone who wants to try, then you have no reason not to trust this method also.
In MD5 Message Digest Authentication, the password is not passed over the network at all. Instead, a series of numbers is generated based on the password and other information about the request, and these numbers are then hashed using MD5. The resulting "digest" is then sent over the network, and it is combined with other items on the server to test against the saved digest on the server. This method is more secure over the network, but it has a penalty. The comparison digest on the server must be stored in a fashion that it is retrievable. Basic Authentication stores the password using the one way crypt() function. When the password comes across, the server uudecodes it and then crypts it to check against the stored value. There is no way to get the password from the crypted value. In MD5, you need the information that is stored, so you can't use a one way hashing function to store it. This means that MD5 requires more rigorous security on the server machine. It is possible, but non-trivial, to implement this type of security under the UnixTM security model.
--------------------------------------------------------------------------------
Basic ByPassword Authentication: Step By Step
This should help you set up protection on a directory via the Basic HTTP Authentication method. This method also uses the standard plaintext password file. If you have a large user base, NCSA HTTPd supports a DBM based password file for faster access.
So let's suppose you want to restrict files in a directory called turkey to username pumpkin and password pie. Here's what to do:
Create a file called .htaccess in directory turkey that looks like this:
AuthUserFile /otherdir/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic
require user pumpkin
Note that the password file will be in another directory (/otherdir).
AuthUserFile must be the full Unix pathname of the password file.
Also note that in this case there is no group file, so we specify /dev/null (the standard Unix way to say "this file doesn't exist").
AuthName can be anything you want. The AuthName field gives the Realm name for which the protection is provided. This name is usually given when a browser prompts for a password, and is also usually used by a browser in correlation with the URL to save the password information you enter so that it can authenticate automatically on the next challenge. Note: You should set this to something, otherwise it will default to ByPassword, which is both non-descriptive and too common.
AuthType should be set to Basic, since we are using Basic HTTP Authentication. Other possibilities for NCSA HTTPd 1.5 are PEM, PGP, KerberosV4, KerberosV5, or Digest. These other types of authentication will be discussed later.
In this example, only the method GET is restricted using the LIMIT directive. To limit other methods (particularly in CGI directories), you can specify them separated by spaces in the LIMIT directive. For example:
require user pumpkin
So basically this method of authentication is roughly as safe as telnet-style username and password security -- if you trust your machine to be on the Internet, open to attempts to telnet in by anyone who wants to try, then you have no reason not to trust this method also.
In MD5 Message Digest Authentication, the password is not passed over the network at all. Instead, a series of numbers is generated based on the password and other information about the request, and these numbers are then hashed using MD5. The resulting "digest" is then sent over the network, and it is combined with other items on the server to test against the saved digest on the server. This method is more secure over the network, but it has a penalty. The comparison digest on the server must be stored in a fashion that it is retrievable. Basic Authentication stores the password using the one way crypt() function. When the password comes across, the server uudecodes it and then crypts it to check against the stored value. There is no way to get the password from the crypted value. In MD5, you need the information that is stored, so you can't use a one way hashing function to store it. This means that MD5 requires more rigorous security on the server machine. It is possible, but non-trivial, to implement this type of security under the UnixTM security model.
--------------------------------------------------------------------------------
Basic ByPassword Authentication: Step By Step
This should help you set up protection on a directory via the Basic HTTP Authentication method. This method also uses the standard plaintext password file. If you have a large user base, NCSA HTTPd supports a DBM based password file for faster access.
So let's suppose you want to restrict files in a directory called turkey to username pumpkin and password pie. Here's what to do:
Create a file called .htaccess in directory turkey that looks like this:
AuthUserFile /otherdir/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic
require user pumpkin
Note that the password file will be in another directory (/otherdir).
AuthUserFile must be the full Unix pathname of the password file.
Also note that in this case there is no group file, so we specify /dev/null (the standard Unix way to say "this file doesn't exist").
AuthName can be anything you want. The AuthName field gives the Realm name for which the protection is provided. This name is usually given when a browser prompts for a password, and is also usually used by a browser in correlation with the URL to save the password information you enter so that it can authenticate automatically on the next challenge. Note: You should set this to something, otherwise it will default to ByPassword, which is both non-descriptive and too common.
AuthType should be set to Basic, since we are using Basic HTTP Authentication. Other possibilities for NCSA HTTPd 1.5 are PEM, PGP, KerberosV4, KerberosV5, or Digest. These other types of authentication will be discussed later.
In this example, only the method GET is restricted using the LIMIT directive. To limit other methods (particularly in CGI directories), you can specify them separated by spaces in the LIMIT directive. For example:
require user pumpkin
收錄日期: 2021-04-12 19:06:51
原文連結 [永久失效]:
https://hk.answers.yahoo.com/question/index?qid=20061120000051KK00872