<BACAC43696274AE0B2519BDD1E501185@VistaPC> <0A964747-CB46-4405-AED9-C55E40F861B6@automattic.com> <49BE3020.7060806@libero.it> <20090316110513.GG94670@rambler-co.ru> <49BE43C8.7090302@libero.it> <000c01c9a999$b66802d0$23380870$@com> <2dcdbfcc0903201445p73a51e06p1a2303684ba9249f@mail.gmail.com> <001b01c9aa13$ad46ab00$07d40100$@com>
Let's not forget about HTTPS, and as far as calling out that a specific HTTP
request method (POST) can you explain further your rationale?
On Sat, Mar 21, 2009 at 5:56 AM, Floren Munteanu <nginx@yqed.com> wrote:
>
>
> > If what you *really* want is a web interface to manage the users, simply
> make (or pay someone to make) a web interface to manage the password
> files.
> Problem solved, no waiting for asynchronous mysql interface.
>
> That is not a viable solution, you know it. Managing sensitive files in a
> web environment is very unsecure, through a web interface. Ya, you can
> create a htpasswd file into /etc/nginx dir for example and do a chmod
> 0700/chown nginx on it. Then, it is secure to stick in there your
> usernames/passwords. But to use PHP or other language to manipulate
> sensitive data through a POST that can get sniffed easy by anyone is simply
> insane, IMO. Not to mention that your file has to be editable by anyone in
> order to have your script write information into it...
>
>
>
>
>