httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Andersson" <rob...@profundis.nu>
Subject Re: [users@httpd] Two levels of authentication
Date Wed, 20 Aug 2003 04:33:12 GMT
Patrick L. Nolan wrote:
> <Directory /home/www/htdocs/elite>
> AuthName "Private area for elite users"
> </Directory>
>
> <Directory /home/www/htdocs/ordinary>
> AuthName "The area for the ordinary folks"
> </Directory>

You see, it isn't Apache that desides whether or not the user is prompted
for the credentials. As HTTP is a stateless protocol with no concept of
sessions, the User-Agent is required to send the credentials with each and
every request, so it could theoretically challenge the user each time a
resource is requested. However, it is supposed to recognize "authentication
realms" together with URL scope (eg. so that it doesn't send passwords to
another site) to recycle the credentials, and as your realms are named
differently the User-Agent MUST NOT send credentials for the other without
prompting the user. So, if your 'elite' area is located in a sub directory,
you might be able to achieve this by giving the realm the same name. If they
are on different hosts, you will not be able to do this without serious
client side hacks (eg. set location to 'http://login:pass@elitehost/' with
JavaScript).

However, unless I misunderstand something about your requirements, shouldn't
you be able to have all users in the same database but create an 'elite'
group that is allowed into the 'elite' area?

Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message