httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: [users@httpd] mod_auth_form questions
Date Fri, 21 Sep 2012 15:19:35 GMT
On 21 Sep 2012, at 3:25 PM, Jeff Trawick <> wrote:

>> 1: (why) do I need to specify the AuthName, Session, and authn
>> provider params (e.g. DBD query) in both the location I am protecting
>> and in the location that defines the form-login-handler?

You do, yes, because HTTP is stateless.

The original hit to your original protected URL (request 1) triggered a redirect to your login
page (request 2), which caused the end user to type a username and password and click submit
(request 3). By the time request 3 has happened, the server has no idea request 1 has happened.
Both request 1 and request 3 must be protected for the server to log you in.

>> 2: I'd like to say that an entire logical tree is protected, and have
>> a successful login redirect back to wherever the user tried to go in
>> the first place. However, the doc seems to be telling me that I need
>> to supply AuthFormLoginSuccessLocation with a specific URL in it.
>> In other words, if I start out with
>> <Location /protectedStuff/>
>>    AuthType form
>>    ...
>> </Location>
>> and then I set up
>> <Location /dologin.html>
>>   SetHandler form-login-handler
>>   ...
>> </Location>
>> and the user navigates to /protectedStuff/banannas.html, I'd like a
>> successful login to redirect to that location, whereas if they
>> navigate to /protectedStuff/kumquats.html, ditto.

In this case, you want inline login, described at


View raw message