Mailing-List: contact modules-dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: modules-dev@httpd.apache.org
Received-SPF: pass (athena.apache.org: domain of mmwaldman@nyc.rr.com
 designates 71.74.56.123 as permitted sender)
From: "Michele Waldman" <mmwaldman@nyc.rr.com>
To: <modules-dev@httpd.apache.org>
Subject: RE: Safari - Why?
Date: Sun, 5 Apr 2009 13:33:36 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcmyX0qZQB9E6Mn6R1OhlV2nGSZAZwCLkk6gAE+c77AAEFN8IAABe/Ng
In-Reply-To: <20090405164515.ZOZI23805.hrndva-omta04.mail.rr.com@DeJaVu>
Message-Id: <20090405173333.TIZ23805.hrndva-omta04.mail.rr.com@DeJaVu>

One thing I did also try was stuff like:

RewriteEngine On
RewriteCond ${HTTP_USER_AGENT} "safari" [NC]
RewriteCond ${HTTP_???} !"realm=account" [NC]
RewriteRule ^(.*)$ forbidden.html

??? typing this off the head can't remember the variable.

This seemed to work.  For some reason the server environment variables
seemed to be working but SetEnvIf wasn't when I was using Safari.

It was starting to really turn into a hack using all the ReWrites.  So, I
decided I really wanted to revisit SetEnvIf.

The server can't set the server environment without the headers I don't
believe.  So, the header must be set.  As suggested, I'll try spaces but I
don't see them in the header.  Is php stripping out spaces in phpinfo()?

Does phpinfo() show exactly as sent from the browser or does it scrub them?

Michele

-----Original Message-----
From: Michele Waldman [mailto:mmwaldman@nyc.rr.com] 
Sent: Sunday, April 05, 2009 12:45 PM
To: modules-dev@httpd.apache.org
Subject: RE: Safari - Why?

I don't see any spaces in the header.  I listed them below.  They look just
like the ones from IE and FF.  I'm willing to try anything though.

I know sometimes for spaces you use \s, the think.  I'll look it up to be
sure.

That's what's so troubling.  It looks the same and works with ie and ff, but
not with Safari and another browser or two.

And for anyone concerned.  This is not my security.  I didn't want to post
the whole thing.  I'm only have trouble with the SetEnvIf statements.

Michele
-----Original Message-----
From: Kfir Dadosh [mailto:dadosh@checkpoint.com] 
Sent: Sunday, April 05, 2009 4:56 AM
To: modules-dev@httpd.apache.org
Subject: RE: Safari - Why?

I know sometimes safari add spaces to the cookie value.
Try something like "^(.*)?logged_out= *1(.*)?$

I don't remember the syntax for space matching.

HTH,

Kfir

-----Original Message-----
From: Michele Waldman [mailto:mmwaldman@nyc.rr.com] 
Sent: Friday, April 03, 2009 10:09 PM
To: modules-dev@httpd.apache.org
Subject: Safari - Why?

I have a setenvif which works when using ie and ff, but not safari.  Since
it's on the server-side, I figured it should always work just as long as the
browser sets the HTTP Headers correctly.

SetEnvIf Cookie "logged_out=1" logged_out_env=1
Order Allow,Deny
Deny from env=logged_out_env

SetEnvIf Authorization "realm=\"account\"" logged_in_env=1
Order Allow,Deny
Allow from env=logged_in_env

I set the realm with htaccess digest and the cookie with php.

I've tried things like "^(.*)?logged_out=1(.*)?$", etc.

For some reason neither of these statements allow the user access when using
Safari, but if I turn the orders off and look at phpinfo, the headers look
like:

Cookie
__utmz=125407186.1238772749.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none
); PHPSESSID=sqh58tnkrkmb46o6bd1e60srq7; logged_out=0;
__utma=125407186.2910789677633345500.1238772749.1238783965.1238784122.7;
__utmc=125407186; __utmb=125407186.42.10.1238784122
Authorization	Digest username="auser", realm="account",
nonce="jpCKC6tmBAA=d6657424b87e5916af57b6184e62949d9638d4c6",
uri="/account/", response="b52f484b12096ec8b376349366616b95",
algorithm="MD5", cnonce="e3545cc852130483f1cc536f40f9c6ff", nc=00000001,
qop="auth"

Does anyone know why this wouldn't work?  It's throwing me for a loop.  What
is Safari doing?

Thanks,

Michele


Scanned by Check Point Total Security Gateway.