I beleive that the password should not appear in the logs it you are
using the "authorization" mode (user@host, not user:password@host). That
was one of the reasons why I implemented that feature a long time ago.
This should also have the sideffect that the pages are not cached.
If you are using the URL for specifying your password, then it currently
shows up in the logs, and the pages are cached, but it is a long
standing entry on the ToDo for Squid.... (but you should not use a proxy
you don't trust for sensitive information anyway...)
--- Henrik Nordstr=F6m Andres Kroonmaa wrote: > = > Hi, > = > Today, to my greatest surprize found that the site I have access to > via ftp using account/password was blistering fast (not so usual here)= > and realized that it was coming from the cache! A simple regexp grep > over the swaplog and accesslog showed a pretty bunch of usernames > with passwords at different sites. > This is NOT supposed to happen, is it? Or I am totally out of date > with my views on security? Password protected pages should not be > cached and shown in access.log? > = > Andres Kroonmaa, > MicroLink OnlineReceived on Tue Jul 29 2003 - 13:15:40 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:11:16 MST