When using basic authentication (specifically via LDAP, but htpasswd also) with Apache, it makes the REMOTE_USER variable available to the PHP / Ruby / Python code underneath — this is very useful for offloading authentication to the webserver.
In our office environment we have lots of internal applications working like this over SSL, all quite secure. BUT: Apache exposes the PHP_AUTH_USER (=REMOTE_USER) and PHP_AUTH_PW variables to any application inside PHP. (PHP_AUTH_PW contains the plaintext password the user entered.) This means it's possible for the app to harvest usernames and passwords. Presumably the same information is available to Python and Ruby (all three are currently in use; PHP is being phased out).
So how can I prevent Apache from doing this?
One idea is to use Kerberos Negotiate authentication (which does not expose the password and has the benefit of being SSO), but that automatically falls back to Basic for some browsers (Chrome and in some cases Firefox), causing the password to be exposed again.
Best Answer
Just in case someone stumble on this question like i did:
In Apache 2.4.5 and later you can use the
AuthBasicFakedirective to mask the password:Results in:
To keep the username:
results in:
REMOTE_USER is not affected.