httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Valpak <>
Subject Re: [users@httpd] OT-Getting info and DAP etc clients
Date Sat, 11 Jan 2003 23:50:17 GMT
At 06:51 PM 1/11/2003 -0500, you wrote:
>George Valpak wrote:
>>What if you only allowed x (maybe x=1) simultaneous logins? This
>>could be managed at authorization time.
>HTTP is stateless, you can't track how many times a person is "logged in" or when they
log out.
>It may appear that you only have to log in at the start of a session, but actually the
browser remembers that you had to send authorization information and continues to send it
for each future page requested.

I admit I picked up the thread in the middle, but isn't he talking about preventing password
sharing? If so, then he must know if a particular account is in use ("logged in" at any given

Oh wait, you have to use something other than Basic Authentication for that, which could mean
writing a handler to handle the authentication/authorization. Since I do all my work under
mod_perl, I do that all the time and sort of forgot it is not available by default.

So let me rephrase my original answer:

If  you are able to create an authentication/authorization handler, then you can use something
other than Basic authentication to track whether or not someone is logged in. You could then
prevent or at least manage, simultaneous logins as needed. This could, depending on your reasons
for wanting to prevent pw sharing, help a lot.

Sessions can help, but authorization happens at an earlier stage in Apache's processing cycle
and so you could catch folks before a session is even created for them.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message