Vulnerability Development: Re: remote_user and apache

[Holger van Koll <holger () VANKOLL DE>]

David Augros wrote:
> Sorry if this is offtopic, but I figure it's close enough to try.
>
> Does anybody know how basic http auth is handled (in particular, by
> apache)?
In short: If apache finds any instruction that the accessed page is
protected (f.e. a .htaccess file),
it asks for username/pwd for every request. The browser also sends it
every time again
(however it does only prompt you one time).

> Specifically, I am interested in the env variable 'remote_user'
This variable is set by httpd , not sent by the browser (as most
others), so...

> My interest is in whether the 'remote_user' variable is trustworthy
... it´s not easy to forge. A
http://somewhere/something.html?remote_user=bla won´t forge it.

I would trust it.