httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Andersson" <>
Subject Re: [users@httpd] %{HTTP:Authorization}
Date Wed, 12 Nov 2003 14:49:32 GMT
Wouter van Vliet wrote:
> Hmmm .. What if you don't set up an ErrorDocument, since it will never
> reach the client unless the client sends an invalid password three times.

Apache always sends the error document. Apache do not keep count on how many
times authorization fails, it is the client that after, usually, 3 times
gives up and finally displays the error document Apache have been sending
all along. This fact, is often considered a weakness in Basic
Authentication, because it makes the server vunerable to dictionary attacks.

> Though this triggered me think a certain way. When you're able to run
> your scripts in mod_perl environment you can define a custom 'Handler',
> which is usually a perl class. This handler might know about the status
> code from where you can redirect to the https environment. And if not,
> just fire a subrequest.

Yep. I have not used mod_perl very much, but I deem that it would be
possible as well.

A comment on my last suggestion. You can probably save yourself from having
a real error document. Because Apache will invoke a sub request to deliver
the error document, you can probably catch that request with mod_rewrite and
send away the client.

Robert Andersson

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message