Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 86939 invoked from network); 17 May 2008 06:22:23 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 17 May 2008 06:22:23 -0000 Received: (qmail 13255 invoked by uid 500); 17 May 2008 06:22:25 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 13198 invoked by uid 500); 17 May 2008 06:22:24 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 13189 invoked by uid 99); 17 May 2008 06:22:24 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 May 2008 23:22:24 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 May 2008 06:21:37 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id D14D62388A2A; Fri, 16 May 2008 23:21:58 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r657296 - in /httpd/httpd/trunk/docs/manual/mod: mod_auth_form.html.en mod_auth_form.xml mod_auth_form.xml.meta mod_session.html.en mod_session.xml mod_session.xml.meta Date: Sat, 17 May 2008 06:21:58 -0000 To: cvs@httpd.apache.org From: jsl@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20080517062158.D14D62388A2A@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: jsl Date: Fri May 16 23:21:58 2008 New Revision: 657296 URL: http://svn.apache.org/viewvc?rev=657296&view=rev Log: Minor doc cleanups as submitted by David Shane Holden . Some minor changes by myself from his patch. Modified: httpd/httpd/trunk/docs/manual/mod/mod_auth_form.html.en httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml.meta httpd/httpd/trunk/docs/manual/mod/mod_session.html.en httpd/httpd/trunk/docs/manual/mod/mod_session.xml httpd/httpd/trunk/docs/manual/mod/mod_session.xml.meta Modified: httpd/httpd/trunk/docs/manual/mod/mod_auth_form.html.en URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_auth_form.html.en?rev=657296&r1=657295&r2=657296&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_auth_form.html.en (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_auth_form.html.en Fri May 16 23:21:58 2008 @@ -44,16 +44,16 @@ HTML login form can provide a much friendlier experience for end users.

-

HTTP Basic authentication is provided by - mod_auth_basic, and HTTP Digest Authentication is +

HTTP basic authentication is provided by + mod_auth_basic, and HTTP digest authentication is provided by mod_auth_digest. This module should - usually be combined with at least one authentication module + be combined with at least one authentication module such as mod_authn_file and one authorization module such as mod_authz_user.

Once the user has been successfully authenticated, the user's login - details will be stored in a suitably configured session, - as provided by the mod_session module.

+ details will be stored in a session provided by mod_session. +

Directives

@@ -179,8 +179,8 @@

The URLs specified by the AuthFormLoginRequiredLocation directive will typically point to a page explaining to the user that their login attempt was unsuccessful, and they - should try again, while the AuthFormLoginSuccessLocation - directive specifies the URL the user should be redirected to on success.

+ should try again. The AuthFormLoginSuccessLocation + directive specifies the URL the user should be redirected to upon successful login.

Alternatively, the URL to redirect the user to on success can be embedded within the login form, as in the example below. As a result, the same form-login-handler can be @@ -216,15 +216,15 @@ session is in force, and the session times out in the middle of the user request. The user can be re-authenticated in place, and they can continue where they left off.

-

When a page protected by mod_auth_form is accessed, and the user is - not logged in, and no AuthFormLoginRequiredLocation - directive is specified as described in the section above, an HTTP_UNAUTHORIZED - status code is returned to the browser in the normal way indicating to the user that - they are not authorised to view the page.

+

If a non-authenticated user attempts to access a page protected by + mod_auth_form that isn't configured with a + AuthFormLoginRequiredLocation directive, + a HTTP_UNAUTHORIZED status code is returned to the browser indicating to the user + that they are not authorized to view the page.

To configure inline authentication, the administrator overrides the error document - returned by the HTTP_UNAUTHORIZED status code with a custom error document, - containing the login form, as follows.

+ returned by the HTTP_UNAUTHORIZED status code with a custom error document + containing the login form, as follows:

Basic inline example

AuthFormProvider file
@@ -238,9 +238,8 @@ SessionCryptoPassphrase secret

-

The error document file should contain the login form used to log in, as - per the example below. The key difference in this form is that the HTML - form action is left blank. This has the effect of submitting the form to +

The error document page should contain a login form with an empty action property, + as per the example below. This has the effect of submitting the form to the original protected URL, without the page having to know what that URL is.

@@ -272,7 +271,7 @@ end user.

mod_auth_form addresses this by allowing the method and body - of the original request to be embedded in the login form, and if authentication + of the original request to be embedded in the login form. If authentication is successful, the original method and body will be retried by Apache, preserving the state of the original request.

@@ -298,7 +297,7 @@

One option is to use the mod_include module along with the KeptBodySize directive, along with a suitable - CGI script, to embed the variables in the form.

+ CGI script to embed the variables in the form.

Another option is to render the login form using a CGI script or other dynamic technology.

@@ -333,12 +332,12 @@ SessionCryptoPassphrase secret

-

Note that logging a user out does not delete the session, it merely removes +

Note that logging a user out does not delete the session; it merely removes the username and password from the session. If this results in an empty session, - the nett effect will be the removal of that session, but this is not + the net effect will be the removal of that session, but this is not guaranteed. If you want to guarantee the removal of a session, set the SessionMaxAge directive to a small - value, like 1. (Setting the directive to zero would mean no session age limit). + value, like 1 (setting the directive to zero would mean no session age limit).

Basic session expiry example

@@ -527,8 +526,8 @@

An attempt to access the URI /logout/ will result in the user being logged - out, and the page /logout.html will be displayed. Make sure that the page - logout.html is not password protected, otherwise the page will not be + out, and the page /loggedout.html will be displayed. Make sure that the page + loggedout.html is not password protected, otherwise the page will not be displayed.

Modified: httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml?rev=657296&r1=657295&r2=657296&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml Fri May 16 23:21:58 2008 @@ -44,16 +44,16 @@ HTML login form can provide a much friendlier experience for end users.

-

HTTP Basic authentication is provided by - mod_auth_basic, and HTTP Digest Authentication is +

HTTP basic authentication is provided by + mod_auth_basic, and HTTP digest authentication is provided by mod_auth_digest. This module should - usually be combined with at least one authentication module + be combined with at least one authentication module such as mod_authn_file and one authorization module such as mod_authz_user.

Once the user has been successfully authenticated, the user's login - details will be stored in a suitably configured session, - as provided by the mod_session module.

+ details will be stored in a session provided by mod_session. +

mod_session @@ -150,8 +150,8 @@

The URLs specified by the AuthFormLoginRequiredLocation directive will typically point to a page explaining to the user that their login attempt was unsuccessful, and they - should try again, while the AuthFormLoginSuccessLocation - directive specifies the URL the user should be redirected to on success.

+ should try again. The AuthFormLoginSuccessLocation + directive specifies the URL the user should be redirected to upon successful login.

Alternatively, the URL to redirect the user to on success can be embedded within the login form, as in the example below. As a result, the same form-login-handler can be @@ -187,15 +187,15 @@ session is in force, and the session times out in the middle of the user request. The user can be re-authenticated in place, and they can continue where they left off.

-

When a page protected by mod_auth_form is accessed, and the user is - not logged in, and no AuthFormLoginRequiredLocation - directive is specified as described in the section above, an HTTP_UNAUTHORIZED - status code is returned to the browser in the normal way indicating to the user that - they are not authorised to view the page.

+

If a non-authenticated user attempts to access a page protected by + mod_auth_form that isn't configured with a + AuthFormLoginRequiredLocation directive, + a HTTP_UNAUTHORIZED status code is returned to the browser indicating to the user + that they are not authorized to view the page.

To configure inline authentication, the administrator overrides the error document - returned by the HTTP_UNAUTHORIZED status code with a custom error document, - containing the login form, as follows.

+ returned by the HTTP_UNAUTHORIZED status code with a custom error document + containing the login form, as follows:

Basic inline example AuthFormProvider file
@@ -209,9 +209,8 @@ SessionCryptoPassphrase secret
 -

The error document file should contain the login form used to log in, as - per the example below. The key difference in this form is that the HTML - form action is left blank. This has the effect of submitting the form to +

The error document page should contain a login form with an empty action property, + as per the example below. This has the effect of submitting the form to the original protected URL, without the page having to know what that URL is.

@@ -243,7 +242,7 @@ end user.

mod_auth_form addresses this by allowing the method and body - of the original request to be embedded in the login form, and if authentication + of the original request to be embedded in the login form. If authentication is successful, the original method and body will be retried by Apache, preserving the state of the original request.

@@ -269,7 +268,7 @@

One option is to use the mod_include module along with the KeptBodySize directive, along with a suitable - CGI script, to embed the variables in the form.

+ CGI script to embed the variables in the form.

Another option is to render the login form using a CGI script or other dynamic technology.

@@ -304,12 +303,12 @@ SessionCryptoPassphrase secret
-

Note that logging a user out does not delete the session, it merely removes +

Note that logging a user out does not delete the session; it merely removes the username and password from the session. If this results in an empty session, - the nett effect will be the removal of that session, but this is not + the net effect will be the removal of that session, but this is not guaranteed. If you want to guarantee the removal of a session, set the SessionMaxAge directive to a small - value, like 1. (Setting the directive to zero would mean no session age limit). + value, like 1 (setting the directive to zero would mean no session age limit).

Basic session expiry example @@ -621,8 +620,8 @@

An attempt to access the URI /logout/ will result in the user being logged - out, and the page /logout.html will be displayed. Make sure that the page - logout.html is not password protected, otherwise the page will not be + out, and the page /loggedout.html will be displayed. Make sure that the page + loggedout.html is not password protected, otherwise the page will not be displayed.

Modified: httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml.meta URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml.meta?rev=657296&r1=657295&r2=657296&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml.meta (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml.meta Fri May 16 23:21:58 2008 @@ -1,5 +1,4 @@ - mod_auth_form Modified: httpd/httpd/trunk/docs/manual/mod/mod_session.html.en URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_session.html.en?rev=657296&r1=657295&r2=657296&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_session.html.en (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_session.html.en Fri May 16 23:21:58 2008 @@ -45,11 +45,11 @@

Sessions may be stored on the server, or may be stored on the browser. Sessions may also be optionally encrypted for added security. These features are divided into several modules in addition to - mod_session: mod_session_crypto, + mod_session; mod_session_crypto, mod_session_cookie and mod_session_dbd. Depending on the server requirements, load the appropriate modules into the server (either statically at compile time or dynamically - via the LoalModule directive).

+ via the LoadModule directive).

Sessions may be manipulated from other modules that depend on the session, or the session may be read from and written to using @@ -87,7 +87,7 @@

At the core of the session interface is a table of key and value pairs that are made accessible across browser requests.

-

These pairs can be set any valid set of strings, as needed by the +

These pairs can be set to any valid string, as needed by the application making use of the session.

top
@@ -330,7 +330,7 @@ Compatibility:Available in Apache 2.3.0 and later

The SessionExclude directive allows sessions to - be disabled specific URL prefixes only. This can be used to make a + be disabled relative to URL prefixes only. This can be used to make a website more efficient, by targeting a more precise URL space for which a session should be maintained. By default, all URLs within the directory or location are included in the session. The Modified: httpd/httpd/trunk/docs/manual/mod/mod_session.xml URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_session.xml?rev=657296&r1=657295&r2=657296&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_session.xml (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_session.xml Fri May 16 23:21:58 2008 @@ -45,11 +45,11 @@

Sessions may be stored on the server, or may be stored on the browser. Sessions may also be optionally encrypted for added security. These features are divided into several modules in addition to - mod_session: mod_session_crypto, + mod_session; mod_session_crypto, mod_session_cookie and mod_session_dbd. Depending on the server requirements, load the appropriate modules into the server (either statically at compile time or dynamically - via the LoalModule directive).

+ via the LoadModule directive).

Sessions may be manipulated from other modules that depend on the session, or the session may be read from and written to using @@ -64,7 +64,7 @@

At the core of the session interface is a table of key and value pairs that are made accessible across browser requests.

-

These pairs can be set any valid set of strings, as needed by the +

These pairs can be set to any valid string, as needed by the application making use of the session.

@@ -392,7 +392,7 @@

The SessionExclude directive allows sessions to - be disabled specific URL prefixes only. This can be used to make a + be disabled relative to URL prefixes only. This can be used to make a website more efficient, by targeting a more precise URL space for which a session should be maintained. By default, all URLs within the directory or location are included in the session. The Modified: httpd/httpd/trunk/docs/manual/mod/mod_session.xml.meta URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_session.xml.meta?rev=657296&r1=657295&r2=657296&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_session.xml.meta (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_session.xml.meta Fri May 16 23:21:58 2008 @@ -1,5 +1,4 @@ - mod_session