我怎样才能确保AuthName指令适用于所有的浏览器？ [英] How can I make sure AuthName works in all browsers?

问题描述

下code似乎显示文本HELLO WORLD就好在Firefox，IE，Safari浏览器，而不是在Chrome。

The code below appears to show the text "HELLO WORLD" just fine in Firefox, IE, Safari, but not in Chrome.

<Files wp-login.php>
AuthType basic
AuthName "HELLO WORLD"
AuthBasicProvider file
AuthUserFile /home/.htpasswd
Require valid-user
</Files>
ErrorDocument 401 "Authentication required"

我怎样才能确保AuthName指令适用于所有的浏览器？

How can I make sure AuthName works in all browsers?

推荐答案

的 AuthName指令指令设置境界参数在相应的标题，是这样的：

The AuthName directive sets the realm parameter in the corresponding header, something like:

WWW-Authenticate: Basic realm="HELLO WORLD"

我发现从2015年10月铬票，报告中涉及到HTTP认证中间人攻击：<一href=\"https://bugs.chromium.org/p/chromium/issues/detail?id=544244&q=-has%3Afleet&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Cr%20Status%20Owner%20Summary%20OS%20Modified\"相对=nofollow>发行544244 - HTTP基本身份验证凭据的提示应该起源更加突出。在讨论过程中，有人指出在该领域的文本不能被信任，并且可以在网络钓鱼攻击被用来诱骗用户泄露密码给第三方。我不是一个安全专家，但我明白，一个代理可以注入头 - 和一般does-这样的问题。

I found a Chromium ticket from October 2015 that reports a man in the middle attack related to HTTP authentication: Issue 544244 - HTTP basic auth credentials prompt should make the origin stand out more. During the discussion it was pointed out that text in realm can not be trusted and can be used in phishing attacks to trick users into revealing passwords to third-parties. I'm not a security expert but I understand that a proxy can inject headers —and usually does— thus the issue.

显然，形式，这和变化的结果最终被移植到Chrome浏览器的验证对话框去除境界。你可以看到不要在基本身份验证对话框 code审查证明不可信的字符串进一步的细节。

Apparent, the realm was removed form the authentication dialogue as a result of this and changes were eventually ported to Chrome. You can see the Do not show untrustworthy strings in the basic auth dialog code review for further details.

的（这是可能的，虽然我还没有测试它的机会，即加密的连接没有这个限制。）的

这篇关于我怎样才能确保AuthName指令适用于所有的浏览器？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！