OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: remote_user and apache
From: PCbob - Slobodan miskoviC (YugoslaviaCANADA.COM)
Date: Wed Aug 02 2000 - 11:50:06 CDT


David Augros wrote:

> My interest is in whether the 'remote_user' variable is trustworthy
> enough to decide that we are dealing with an authenticated user who is
> not faking his login name. Any insights/pointers are welcome.

    The remote_user variable is used for browser authentication, and i do
not see any use of spoofing username as server requires password every
time. You are probably thinking that remote user gives you the username on
client machine, which is wrong. So if user is "spoofing" his username he
must "spoof" his password too, which would me he found out someone else's
login data.

    cheer