httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: make mod_auth_form tell you where the credentials came from
Date Tue, 03 Dec 2013 12:15:01 GMT
On 03 Dec 2013, at 1:27 PM, Thomas Eckert <> wrote:

> I have been having problems with mod_auth_form on returning DENIED from my custom auth
provider. This provider has it's own module-local session cache, where stuff like accessible
paths, credentials and the like are stored to avoid having to query an external (and expensive)
authentication daemon. Once such a session is accessed by the user browsing (e.g. with the
corresponding session cookie) I might need to invalidate the session (e.g. time out). After
failing the appropriate checks I would "return DENIED" but this had an unpleasant drawback:
If a user accessed the session by sending the filled-in form (e.g. on a new device with no
cookie) the code would still return DENIED if the session was invalid for whatever reason.
This resulted in the user being shown the form again, even though the user just filled in
the form correctly.

I'm not fully understanding the flow you're describing. Are you sure you're not accidentally
password protecting / session protecting the login form?

The login form needs to be accessible without any restrictions on authn/authz or session,
otherwise httpd will deny access to the form too.

Can you clarify the flow of requests during login that you are expecting?


View raw message