Re: how to support delete of as well as /

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Quoted text here. Click to load it

REMOTE_USER is set by the web server. You don't know how the web server
determined the remote user, so you cannot know whether it is secure.
Basic auth over an unencrypted connection is insecure, of course. Basic
auth over https cannot be sniffed on the network (but the user may have
a weak password, or a keylogger on his machine). Https with Public key
crypto where the private key is stored in key hardware token on the
user's side is very secure.

However, checking for REMOTE_USER is often futile: If the user wasn't
authenticated or isn't authorized to run the script, the script isn't
even called.


Site Timeline