httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Basic Authentication question
Date Thu, 12 May 2005 08:07:39 GMT
> -----Original Message-----
> From: K Anand [mailto:kanand@sail-steel.com]
> Sent: Donnerstag, 12. Mai 2005 05:52
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Basic Authentication question
> 
> 
> you didn't understand what I was asking...The config I have 
> included is
> working ..I have used htpasswd and everything is working 
> fine....All I want
> to know is how does  apache  know that I have already 
> authenticated or not ?

The first time the client requests a resource in a protected realm, it doesn't know it is
protected so makes a plain request. The server responds with a 401 Unauthorized. The client
then pops up a password window and captures the username/password (aka, the credentials).
The client repeats the request but this time adds an Authorization header containing the credentials.
The server gets the request and verifies the credentials, if OK, it serves the resource. The
client caches the credentials and for all subsequent requests in the same realm, it adds the
same Authorization header - that's how you stay "logged in".

That's also how it is really hard to get the browser to "forget" your password - even if you
surf off to a different site and come back a day later, it'll remember your credentials and
send them off again.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 
> 
> Anand
> 
> ----- Original Message ----- 
> From: "Chris Winfield-Blum" <chris@leadingside.com>
> To: <users@httpd.apache.org>
> Sent: Thursday, May 12, 2005 9:14 AM
> Subject: Re: [users@httpd] Basic Authentication question
> 
> 
> > you will have to use the htpasswd tools located in your 
> apache bin to
> > create the password file. then you point that directory to 
> that file: ie:
> >
> > /etc/httpd/conf/passwd/passwords
> >
> > This should do that you need :)
> >
> > K Anand said the following:
> >
> > >Hi all,
> > >
> > >I have a very basic question regarding authentication on 
> apache...I have
> in
> > >my httpd.conf a section like below :
> > ><Directory "/var/www/cgi-bin">
> > >    AuthType Basic
> > >    AuthName "By Invitaion Only"
> > >    AuthUserFile /etc/httpd/conf/passwd/passwords
> > >    Require valid-user
> > >
> > >    AllowOverride None
> > >    Options ExecCGI
> > >    Order allow,deny
> > >    Allow from all
> > ></Directory>
> > >
> > >So whenever a browser first sends a cgi-bin request, 
> authentication is
> done
> > >by userid and password...Whenever subsequent requests come 
> for cgi-bin,
> > >authentication is not required provided the browser has 
> not been closed.
> How
> > >is this done ?
> > >
> > >I know that this is not a problem but I would like to know 
> just for my
> > >information.
> > >
> > >Thanx
> > >Anand
> > >
> > >
> > 
> >---------------------------------------------------------------------
> > >The official User-To-User support forum of the Apache HTTP Server
> Project.
> > >See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > >For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> > >
> > >
> >
> >
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP 
> Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message