httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <>
Subject Re: Making mod_auth_digest mysql
Date Thu, 12 Feb 2009 21:02:04 GMT
On Thu, Feb 12, 2009 at 3:49 PM, Michele Waldman <> wrote:
> I'm doing this:
> RewriteEngine On
> RewriteCond %{REMOTE_USER} .
> RewriteRule ^.*$ - [S=1]
> RewriteRule ^.*$ http://domain/logged_out.html?%{N} [R]
> AuthType Digest
> AuthName "account"
> AuthUserFile /path/.htpasswd
> Require valid-user
> 1) The user is logged in.
> 2) The user logs out.
> 3) In ff, the user hits the backpage button.
> 4) The user gets a dialog box to login rather than being redirected.

HTTP is stateless.  You wrote a rule that wants to see if
authentication has already occured, so on some level you're
acknowledging that authentication is processed _before_ your rewrite.

When you configure authentication for a resource, the very same code
that would authenticate you will immediately prompt you for
credentials if they're not provided.  This happens before your
per-directory rewrites have a chance to do anything.

RewriteLog would likely tell you that the conditions/rules are not
evaluated in this scenario, because the 401 is returned before the
fixup hook where rewrite runs in per-dir context

Eric Covener

View raw message