httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David D'Antonio" <>
Subject RE: denying access without challenging?
Date Wed, 26 Nov 1997 18:43:42 GMT
On Wednesday, November 26, 1997 1:15 PM, Michael Smith 
[] wrote:


> But if a user has authenticated in /foo and then they access
> /bar which has the
> same realm, they don't get the pop-up box.  My interpretation
> is that the server
> sends back the realm and a 401 error, whereupon the browser
> sends the
> username/password which has already been established.

Yup, the browser will reuse the current auth info within the

> I imagine that the browser attempts to be clever and doesn't
> always wait for a 401
> error before it sends the password over - maybe if you have
> authenticated the URL
> /foo/xx and then try to access /foo/bar/xx it will send it
> anyway, but I'm not
> entirely sure on this one.  More investifation needed.

I believe (its been a while since I dealt with this so it might 
changed) that the browser will send the auth info pretty much 
the time if you stay within the Realm. Once you leave, it should
wait for the next 401.

> Mike


David D'Antonio CNE -
 Some they do and some they don't and some ya just can't tell
  Some they will and some they won't and some it's just as well

View raw message