LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to force user to enter username and password (https://www.linuxquestions.org/questions/linux-security-4/how-to-force-user-to-enter-username-and-password-293745/)

sxcheng 02-23-2005 03:31 AM
How to force user to enter username and password
 
Hi
I am a linux newb, recently I have setup a mail server using RH9.0/sendmail and openwebmail 2.50 for user access email outside office

now everything working fine. when user access openwebmail, it prompt for username and password, but some user set the IE to remember password so they don't need to keyin password everytime

now my boss want me to do something on the server side (not the client side), even the user saved password on IE, the openwebmail will still prompt to enter username and password.

I don't know where to start? is it something I need to change on the apache or the openwebmail ?

I am appreciate if someone can give me some advise.

thanks

scott_R 02-23-2005 05:46 AM
It's fairly easy, you'll simply need to disable the acceptance of cookies that were set up originally to make things easier for users. This is easy enough, you simply disable their acceptance on your server, or alternatively, set up a "blank" cookie, that errors out any existing cookies, and causes the browser to pop up another password box. Naturally, if you zap the cookie code in your website pages, the cookies are nothing but wasted space on the users drives.

With FireFox/Mozilla/Opera, and real browser (everything but old crusty IE), you may have to fight forms as well. This is easy enough, you simply use a randomizer in the address (php is beautiful for this), in other words, instead of http://my.com/, you would use http://my.com/?randomnumbersandlette...esitewasraised

Basically, there are a lot of ways to do this, most of which is pretty basic programming knowledge/website scripting, but it's not something your average MS admin/network guy is going to be able to properly address, because most of those folks barely do the minimum to keep their jobs. Using IE, after most companies, security organizations, governments, etc., have migrated to more secure browsers, just shows how far your firm still has to go simply to catch up to minimally acceptable security standards, so worrying about cookies and logins from internal users is kind of missing the point.

Sorry, but cookies don't mean much when viruses, spyware, adware, keyloggers, and a multitude of other problems are the more relevant threat.


All times are GMT -5. The time now is 01:53 PM.