How can I prevent Apache from exposing a user's password?

Solution 1:

Just in case someone stumble on this question like i did:

In Apache 2.4.5 and later you can use the AuthBasicFake directive to mask the password:

AuthBasicFake toto tata

Results in:

PHP_AUTH_USER=toto
PHP_AUTH_PWD=tata

To keep the username:

AuthBasicFake %{REMOTE_USER} tata

results in:

PHP_AUTH_USER=value-of-remote-user 
PHP_AUTH_PWD=tata

REMOTE_USER is not affected.

Solution 2:

Seems not possible but see http://bytes.com/topic/php/answers/798619-prevent-setting-php_auth_pw
Post #8 suggest to use auto_prepend_file to run a script that unset the variable
It's a workaround not a clean solution but it exist...

Did you try AuthType Digest ?

Solution 3:

Radius is right -- you can't.

After further research I realised that this is basically a text-book scenario for an identity assertion: A trusted identity provider "proves" the user's identity to the client application. The SAML 2.0 specification seems a good fit.

I was hoping to get away without more infrastructure layers, but I'm going to go with simpleSAMLphp[1] for the IDP and mod_mellon[2] for the Apache side. (A day's worth of tinkering and it works.) This doesn't solve the password problem, but moves it to where it can be controlled.

Aside: Sun's OpenSSO is quite beefy but Oracle killed it and the related OpenAM project's future is still not clear.

[1]: http://rnd.feide.no/simplesamlphp simpleSAMLphp

[2]: http://code.google.com/p/modmellon/ mod_mellon