At Thu, 13 Oct 2005 16:50:55 +0900 (JST), Curt Sampson wrote:
>
> On Thu, 13 Oct 2005, Alex Shinn wrote:
>
> > Well, for the logs it's easy enough to pipe them to....
>
> Yes, but you still have to have secure storage and backup for the
> original logs. It's much easier not to have to deal with that at all.
Actually, with an Apache conf such as:
AccessLog "| mycommand > mylogfile"
you can hide the password on the fly so there's no intermediate file.
> > As for being able to send links with authentication credentials, in
> > general it's impossible to prevent this without SSL....
>
> It's very easy. Don't ever generate or use such links.
The user can always at the very least generate them by hand. With any
POST form, the user can also directly send the fields with a GET
(assuming the data doesn't overflow the server GET limit, usually 4k).
This is important because some keitai don't support POST, and
translate every request into a GET.
--
Alex
Received on Thu Oct 13 11:06:56 2005