I have a problem where if the AuthUserFile contains a blank line then
users can log in with a blank username and password.

Is it possible to specify in the .htaccess file that the user "" with
password "" is not allowed even if there is a blank line in the file?

Also related to this problem could anyone advise me how i could run a
cronjob to remove any blank lines from the AuthUserFile.

Cheers

Bev

[ Post a follow-up to this message ]

On 1 Feb 2005 14:31:06 -0800, BEV <bev_korf@hotmail.com> wrote:
> I have a problem where if the AuthUserFile contains a blank line then
> users can log in with a blank username and password.
>
> Is it possible to specify in the .htaccess file that the user "" with
> password "" is not allowed even if there is a blank line in the file?
>
> Also related to this problem could anyone advise me how i could run a
> cronjob to remove any blank lines from the AuthUserFile.

Perhaps you need to review how names/passwords get added/removed from the
password file, so they will never be there to temporarily exploit.  There
must be an error or oversight in your script or method to add or remove
passwords.

If the authenticated resource is or is wrapped by a script (like an
Action directive) you could check if REMOTE_USER has a value.  However, if
you use an Action, it is up to your action handler to send proper headers
and content (to stdout).

You might also check which Allow or Satisfy directives apply.

[ Post a follow-up to this message ]