I am currently running Apache-1.3.17 with php-4.0.4pl1 . It appears that when I am using Apache's own mod_auth with .htaccess and .htpasswd authentication, PHP will store the password from Apache into the PHP_AUTH_PW variables.

Thou it is useful somethings, it also creates a security problem in the following situation.

access to http://www.abc.com is limited to users who each have their own unique username/password.

http://www.abc.com/apps1 is developed and maintained by groupA

http://www.abc.com/apps2 is developed and maintained by groupB

Any malicious developer in groupA or B will be able to silently steal the user's password when they access either apps1 or apps2 without the user knowing by just saving the values found in PHP_AUTH_USER and PHP_AUTH_PW .

The malicious developer can then use the saved password to assume the identity of the original user and access the website to perform functions without the original user knowing.

Hence I am wondering if it will be possible to have a configuration directive that can select whether PHP_AUTH_PW will store the external password when external authentication modules like mod_auth are used.