httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig Dunigan <>
Subject RE: [users@httpd] Apache checks authentication twice
Date Mon, 12 Sep 2005 14:39:09 GMT
Answers inline.

On Mon, 12 Sep 2005, Boyle Owen wrote:

> > -----Original Message-----
> > From: Stefan-Michael. Guenther (in-put GbR)
> > []
> > Sent: Montag, 12. September 2005 16:17
> > To:
> > Subject: Re: [users@httpd] Apache checks authentication twice
> > 
> > 
> > Hi,
> > 
> > > I think you're right - the second application is really just another
> > > instance of the browser. This might be because you are using
> > > "target=_blank" in the link to force a new window. If you 
> > don't do this it
> > > should use the same window and so retain the credentials.
> > >
> > Apache produces a directory listing for this dir, so there is 
> > no target=_blank 
> > in it.
> The point is: does a new window appear? If so, that is a new
> instance of the browser. It will not inherit the cache of the parent
> and so will not be in possesion of the login credentials.
> It may not be possible to solve your problem using Basic Auth...
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored. 

Absolutely right, I've run into it myself.  IE sees the file
extension, and triggers Excel (using an MS web library client, I
forget the exact name) to issue a second HTTP request. Incorrectly, in
my opinion, because it doesn't even evaluate the MIME type first; in
fact, it ignores the MIME type entirely the last time I checked.  And
it didn't matter what the target was in our case, but I'm speaking
from second hand knowledge on that part, so I could be remembering
wrong.  I do know that I had to create a separate Directory block with
no authentication for MS Office files, because IE always (in our case)
passed the URL to the MS web library client instead of making the
request itself.  Check your apache access logs - if the UserAgent
string is that library instead of MSIE, then I'd bet that's the

We were able to get away with turning off authentication on the
Directory block containing the MS files because we were also using
cookie-based session and authorization management, which redirected
any attempts to access the files directly (w/o having logged in to get
the cookies first) to the login page.  Owen's right, IMO, you can't do
this with Basic Auth alone.

Craig Dunigan
IS Technical Services Specialist
Middleware - EIS - DoIT
University of Wisconsin, Madison

opinions expressed are my own, not the University's

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message