[UFO Chicago] Apache case-insensitive username matching with .htaccess directives?

Jesse Becker jesse_becker at yahoo.com
Tue Apr 14 11:36:09 PDT 2009 

--- On Tue, 4/14/09, Jay F Shachter <jay at m5.chicago.il.us> wrote:

> From: Jay F Shachter <jay at m5.chicago.il.us>
> Subject: Re: [UFO Chicago] Apache case-insensitive username matching with .htaccess directives?
> To: jesse_becker at yahoo.com
> Cc: ufo at ufo.chicago.il.us
> Date: Tuesday, April 14, 2009, 1:13 PM
> Centuries ago, Nostradamus predicted that Jesse Becker would
> write on Tue Apr 14 13:00:13 2009:
> 
> > 
> > While I completely agree that all permutations of
> upper and
> > lowercase is impractical, there is a middle ground.
> > 
> > I'm willing to bet that over 99% of the attempted
> usernames will fit
> > one of these three forms:
> >   username
> >   Username
> >   USERNAME
> > 
> > This changes the length from 2^N to 3N--a pretty
> substantial
> > improvement, even if still not ideal.
> > 
> 
> Alas, the usernames are originally (they can change) the
> user's
> electronic addresses.  Think in terms of
> "first.last at example.com".
> There are a lot more than 3 likely possibilities:
> 
>   first.last at example.com
>   First.Last at example.com
>   first.last at Example.com
>   first.last at Example.Com
>   first.last at Example.COM
>   First.Last at Example.COM
>   first.last at EXAMPLE.COM
> 
> ... you get the idea.  It really isn't practical.  Now,
> .htaccess
> files that request case-insensitive usernames -- that would
> be
> practical.  Surely someone else has wanted this too; I
> can't possibly
> be breaking new ground here.

I don't think the idea is new, but I don't think that Apache supports this, unfortunately.

So a question, and possible workaround:  Do you have any situations where the password for "first.last at example.com" is different from (say) "FIRST.LAST at example.com"?

If those two accounts are equivalent (e.g. have the same password hash), then you could squash all accounts to the strictly lowercase version, and tell your users to not use anything else.

Yes, still ugly, I know.  However, the two alternatives I can think of (rewrite using Javascript, and submit the auth info to a CGI, that rewrites and resubmits to the 'real' location) are uglier still.

--
Jesse Becker
GPG-fingerprint:  BD00 7AA4 4483 AFCC 82D0  2720 0083 0931 9A2B 06A2

More information about the ufo mailing list