CGI/1.0: last call

ts (decoux@moulon.inra.fr)
Sat, 11 Dec 93 11:50:39 +0100


> Interesting. I just returned from a meeting where various security
> experts impressed on me just how bad an idea that is, as it increases
> the amount of code in the "Trusted Computing Base" unmanageably. They
> felt that such a system could never be rated secure.

You are right. But the problem is : authentication protocol of WWW (a la
un*x) is perhaps good enough for HTTP/0.9, but is not adapted for HTTP/1.0
particulary for method PUT, POST, DELETE.

Actually I prefer write a script with a better authentication rather than
use WWW to do it.

Put under "/htauth" specific scripts for authentication and don't use
this basic authentication protocol.

Guy Decoux