Prevent username:password@ on URL

PHPdev

I have had a rash of users giving out their usernames and passwords, to other pople. I am currently using basic authentication buit into Apache, using the .htaccess and .htpasswd files.

Does anyone know a regular expression that could be used in Apache's mod_rewrite to prevent the passing of the username: password@url.com from the browser? Does this information even get passed to the webserver, or does the brower interpret it before it gets there?

Thanks

PHPdev

lobobr

Yes, it is passed to Apache.

I'm not an Apache's MOD expert, so all I can do is give you a PHP solution:

Put this piece of code below on the page that receives the user authentication.

It tests if the page that was used to get to your script contains @ or :, so it's an attempt to login via url. You can do the same test using other PHP predefined variables, for an example, if you want to know if the user typed the URL directly in a blank browser screen (in this case there is no REFERER).

Just take a look at: http://www.php.net/manual/en/language.variables.predefined.php

<?php
if (preg_match("/[@|:]/",$SERVER['HTTP_REFERER']))
{
echo "URL authentication is not accepted.";
// bunch of commands
}
?>

Hope it helps.

PHPdev

Unfortunaly when I enter

http://username:password@www.url.com/test.php

where test.php just does a phpinfo(); the referer does not show to be the above url.. infact no variable shows to be the above url.

Anyone have any ideas?

Thanks

PHPdev