httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Smith <...@iii.co.uk>
Subject Re: denying access without challenging?
Date Wed, 26 Nov 1997 18:15:15 GMT
Random Junk wrote:

> Michael Smith writes:
> > Yyyyyyyyyup, but don't I have to send a 401 to persuade the client to send
> > authentication in the first place?  Just tracking through some log files, the
> > first time a user goes to a new protected directory, there is a 401 line in
> > access_log before the client sends the authetication string over.  Maybe this
> > wouldn't happen if bar was a subdirectory of foo.
>
> no, it always happens.  user requests /foo/bar with no authorize
> header (because how do they know they need to send one?  they don't.)
> so the server sends back 401.  browser puts up box.  user enters info,
> resends exact same request for /foo/bar but with authorize header.

But if a user has authenticated in /foo and then they access /bar which has the
same realm, they don't get the pop-up box.  My interpretation is that the server
sends back the realm and a 401 error, whereupon the browser sends the
username/password which has already been established.

I imagine that the browser attempts to be clever and doesn't always wait for a 401
error before it sends the password over - maybe if you have authenticated the URL
/foo/xx and then try to access /foo/bar/xx it will send it anyway, but I'm not
entirely sure on this one.  More investifation needed.

Mike



Mime
View raw message