I'm writing an application that users must log into using a username and password to access. I'm currently using .htaccess to protect it, and then using the $ENV{'REMOTE_USER'} var to check which user is accessing the script (so they only have access to the features they are allowed).

Is the REMOTE_USER pretty secure, or is it easily spoofed (like HTTP_REFERER)?

I'm not certain, but I'm fairly sure that it is secure. Once a user has authenticated with basic .htaccess authentication, the REMOTE_USER variable is set internally, as opposed to coming from outside like the HTTP_REFERER variable, so it's certainly not as easily spoofed.

Thanks for the reply Mouldy_Goat :thumbsup:

I did some additional digging and came up with this url with extra info if anyone is interested
http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0313.html