Login/Register
How can I make sure AuthName works in all browsers?
Asked Answered
Solved apache.htaccessgoogle-chrome.htpasswd
I

1

10

The code below appears to show the text "HELLO WORLD" just fine in Firefox, IE, Safari, but not in Chrome.

<Files wp-login.php>
AuthType basic
AuthName "HELLO WORLD"
AuthBasicProvider file
AuthUserFile /home/.htpasswd
Require valid-user
</Files>
ErrorDocument 401 "Authentication required"

How can I make sure AuthName works in all browsers?

Inequity answered 17/3, 2016 at 15:13 Comment(0)
T
8

The AuthName directive sets the realm parameter in the corresponding header, something like:

WWW-Authenticate: Basic realm="HELLO WORLD"

I found a Chromium ticket from October 2015 that reports a man in the middle attack related to HTTP authentication: Issue 544244 - HTTP basic auth credentials prompt should make the origin stand out more. During the discussion it was pointed out that text in realm can not be trusted and can be used in phishing attacks to trick users into revealing passwords to third-parties. I'm not a security expert but I understand that a proxy can inject headers —and usually does— thus the issue.

Apparent, the realm was removed from the authentication dialogue as a result of this and changes were eventually ported to Chrome. You can see the Do not show untrustworthy strings in the basic auth dialogue code review for further details.

Twoseater answered 18/3, 2016 at 9:53 Comment(2)
I noticed it today while modifying Apache configuration. Unfortunately it is not showing even with encrypted connectionCoblenz
Wish I could override this in my browser settings :/Register

© 2022 - 2024 — McMap. All rights reserved.