httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nebergall, Christopher" <cneb...@sandia.gov>
Subject [users@httpd] Auth Modules and internal Redirects
Date Fri, 31 Jan 2003 18:34:30 GMT
Is it possible to securely authenticate the initial request, then not
re-authenticate the internally redirected request again?  Mod_auth and
mod_digest, always re-authenticate the user from scratch even on internally
redirected requests.   All the necessary information seems to be present to
skip re-authenticating from scratch for internally redirected requests.  The
username and the authentication type used are still part of the connection
structure and it is possible to determine that the request was an internal
redirect, but I've never seen any module take advantage of this information
to speed up authentication.  It would be very beneficial to take advantage
of this speed up for some authentication types that 1.) take a relatively
long time to process, or 2.) are not reusable, and would fail if tried
again.   

Could anyone comment whether it is secure to take this approach and not
re-authenticate from scratch iff the request is not an initial request
(meaning it's a sub-request or internal-redirect), the username field is not
null,  and the auth type is still valid for the location of the re-directed
request?

Thanks,

Christopher Nebergall


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message