httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] apache authentication
Date Wed, 28 May 2003 08:53:36 GMT
>-----Original Message-----
>From: James Bond []
>I would like to setup a apache authntication using apache modules.
>My current setup:
>Apache 2.0.45 + mod_auth +mod_ssl on Redhat linux
>I am using file based authentication using mod_auth.
>It works fine but I have one issue with it. When user connects 
>to http site 
>then apache asks for password and authenticate. When user 
>connects to ssl 
>site i.e. https then also user has to authenticate again.
>Is there any way to integrate these two authentication? I 
>would like user to 
>authenticate only once per session. What about using 
>mod_usertrack to setup 
>cookies or mod_ldap? Any suggesstions!!

I don't know how your HTTP and HTTPS sites are related so it's a bit
difficult to answer definitively but I guess they are served from
different DocRoots (they're obviously different VHs). In any case, the
point is that it is the *browser* that prompts you for a password. Every
time you try to access a resource which is behind an authentication,
apache requires an Authorization header. It is up to the browser to
decide whether to send this. If the browser recognises the URL as being
a sub-dir of a dir for which it already has a password, it sends it
automatically from its cache. However, if the browser doesn't recognise
the URL, it makes a request without an Authorization header and so gets
a 401 back. This causes it to prompt for the password.

Off the top of my head, I don't know if a browser regards
http://server/dir as the same resource as https://server/dir so I don't
know if it would automatically submit the PW to the HTTPS version if it
already had it for the HTTP site. If the URLs are different (e.g.
http://server/dir1 and https://server/dir2) then it will certainly not
do so and you'd have to login twice.

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

>Find a cheaper internet access deal - choose one to suit you. 
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>   "   from the digest:
>For additional commands, e-mail:
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
présent e-mail est un message privé et personnel, sans rapport avec
l'activité boursière de la SWX Swiss Exchange

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message