On Sat, Mar 21, 2009 at 3:56 AM, Floren Munteanu <span dir="ltr"><<a href="mailto:nginx@yqed.com">nginx@yqed.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im"><br>
<br>
> If what you *really* want is a web interface to manage the users, simply<br>
make (or pay someone to make) a web interface to manage the password files. <br>
Problem solved, no waiting for asynchronous mysql interface.<br>
<br>
</div>That is not a viable solution, you know it.</blockquote><div> </div><div>It is certainly a viable solution as Manilo indicates.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Managing sensitive files in a<br>
web environment is very unsecure, through a web interface.</blockquote><div> </div><div>No more insecure than managing sensitive data through a web interface - in either case you'll want SSL on top for any semblence of security.<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Ya, you can<br>
create a htpasswd file into /etc/nginx dir for example and do a chmod<br>
0700/chown nginx on it. Then, it is secure to stick in there your<br>
usernames/passwords. But to use PHP or other language to manipulate<br>
sensitive data through a POST that can get sniffed easy by anyone is simply<br>
insane, IMO. </blockquote><div> </div><div>They can monitor the same POST requests to manage users in the database - it's no more secure. As I said above, you'll want to place SSL on top, for starters.<br><br></div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Not to mention that your file has to be editable by anyone in<br>
order to have your script write information into it...</blockquote><div><br>Not really, it just needs to be editable by the user PHP is running as (which I can control). Alternatively, the PHP could make requests to some other service listening on localhost for insertion/removal from the file.<br>
<br>There's a million ways to skin a cat; however, personally if I'm gonna use htpasswd authentication, I just manage it with htpasswd (sometimes indirectly in bash scripts). Simple machines, for the win!<br><br>
- Merlin<br></div></div><br>