User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5
I agree with this notion--control should be in the hands of the
administrator via AllowOverride, if anything.
Phil Pishioneri wrote:
On 7/20/04 5:06 PM, johanna bromberg craig wrote:
This was originally a security thought, but I'm not sure our reasons
are valid anymore. I think our original logic was not wanting users to
turn off/on Cosign if an admin had made it on/off for a whole server,
but that might be spurious. Other members of the core cosign team feel
free to speak up and correct me if there was a more pressing issue and
I've just forgotten it. ;)
Did you want to use it in an .htaccess?
We were thinking of .htaccess usage, possibly for personal web pages,
though I think we came up with an alternative.
Does anyone? Is this something people would like to see changed?
Anyone have security thoughts on this matter?
If "CosignProtected" could be classified as an authorization directive
(I don't know if that would be possible), then an admin could allow its
use by specifying "AllowOverride AuthConfig" as needed.