>>>>> "NP" == Nigel Parker <nigel.parker@stripped> writes:
NP> -----Original Message-----
NP> From: Bruno Matarollo [SMTP:bruno@stripped]
NP> Sent: Wednesday, June 30, 1999 5:15 PM
NP> To: mysql@stripped
NP> Subject: auth_mysql problem ... perhaps off topic
NP> I have installed MySQL 3.22.22, Apache 1.3.6 and auth_mysql 2.20 I
NP> presume ... the last one available from the MySQL site... I could compile
NP> everything just fine... I can authenticate using users in the database...
NP> The problem I am having is that usually when doing an authentication you
NP> should have an env var like REMOTE_USER no? Well, I made up a small
NP> cgi-script taht prints up all the env vars, and when using auth_mysql I
Most common cause of this is that your cgi-bin directory is NOT
password protected. Just because the page containing the form was
protected does not mean this one will be...
NP> don't have a var that states what user was validated... I mean, I need to
NP> know what user is logged in after a successful authentication...
NP> Surely auth_mysql will contain a function to return the authenticated user?
NP> Don't use REMOTE_USER environment variable. It is so easy to fake...
Interesting claim. Please explain why you think it is easy to fake
out the server from inserting REMOTE_USER.