Return-Path: 
 <users-return-21561-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 96127 invoked by uid 500); 31 Jan 2003 18:34:30 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 96071 invoked from network); 31 Jan 2003 18:34:28 -0000
Received: from mm02snlnto.sandia.gov (132.175.109.21)
  by daedalus.apache.org with SMTP; 31 Jan 2003 18:34:28 -0000
Received: from 132.175.109.4 by mm02snlnto.sandia.gov with ESMTP (
 Tumbleweed MMS SMTP Relay (MMS v4.7)); Fri, 31 Jan 2003 11:34:31 -0700
X-Server-Uuid: 95b8ca9b-fe4b-44f7-8977-a6cb2d3025ff
Received: from ES01SNLNT.sandia.gov (es01snlnt.sandia.gov
 [134.253.130.4]) by mailgate2.sandia.gov (8.12.7/8.12.7) with ESMTP id
 h0VIYTgu020145 for <users@httpd.apache.org>; Fri, 31 Jan 2003 11:34:29
 -0700 (MST)
Received: by es01snlnt.sandia.gov with Internet Mail Service (
 5.5.2653.19) id <ZVYVNR17>; Fri, 31 Jan 2003 11:34:31 -0700
Message-ID: <03781128C7B74B4DBC27C55859C9D7380948F73B@es06snlnt.sandia.gov>
From: "Nebergall, Christopher" <cneberg@sandia.gov>
To: "Apache Users (E-mail)" <users@httpd.apache.org>
Date: Fri, 31 Jan 2003 11:34:30 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-WSS-ID: 12241E3D234803-01-01
Content-Type: text/plain;
 charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
Subject: [users@httpd] Auth Modules and internal Redirects

Is it possible to securely authenticate the initial request, then not
re-authenticate the internally redirected request again?  Mod_auth and
mod_digest, always re-authenticate the user from scratch even on internally
redirected requests.   All the necessary information seems to be present to
skip re-authenticating from scratch for internally redirected requests.  The
username and the authentication type used are still part of the connection
structure and it is possible to determine that the request was an internal
redirect, but I've never seen any module take advantage of this information
to speed up authentication.  It would be very beneficial to take advantage
of this speed up for some authentication types that 1.) take a relatively
long time to process, or 2.) are not reusable, and would fail if tried
again.   

Could anyone comment whether it is secure to take this approach and not
re-authenticate from scratch iff the request is not an initial request
(meaning it's a sub-request or internal-redirect), the username field is not
null,  and the auth type is still valid for the location of the re-directed
request?

Thanks,

Christopher Nebergall


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org