Received: by taz.hyperreal.com (8.6.12/8.6.5) id MAA05545;
 Wed, 24 Jul 1996 12:44:25 -0700
Received: from life.ai.mit.edu by taz.hyperreal.com (8.6.12/8.6.5) with SMTP
 id MAA05528; Wed, 24 Jul 1996 12:44:22 -0700
Received: from skydive.ai.mit.edu by life.ai.mit.edu (4.1/AI-4.10) for
 new-httpd@hyperreal.com id AA29929; Wed, 24 Jul 96 15:44:20 EDT
From: rst@ai.mit.edu (Robert S. Thau)
Received: by skydive.ai.mit.edu (8.6.12/AI-4.10) id PAA06894;
 Wed, 24 Jul 1996 15:44:32 -0400
Date: Wed, 24 Jul 1996 15:44:32 -0400
Message-Id: <199607241944.PAA06894@skydive.ai.mit.edu>
To: new-httpd@hyperreal.com
Subject: Re: How to authorize everyone?
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

  As soon as a mod_php script returns a 401 and
  the client sends the authentication request, Apache couldn't care
  less whether or not there was any directive to turn on authentication
  for that particular URL and it will go ahead and try to authenticate
  the request even though the intent was to have mod_php do it.

Incorrect.  The current mod_auth* stuff does not do anything unless it
has been explicitly turned on in the server config files.  If it
hasn't been, any Authorization: headers supplied by the client
(perhaps in response to a prior 401) are simply ignored.

To repeat --- if util_script.c is hacked so that CGI scripts see
the contents of the "Authorization:" header, they can do custom auth.
People have tried this, and it works.  It wouldn't, if things worked
as you suggest above.

rst