httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Knoblauch <>
Subject Re: [users@httpd] How to prevent AuthBasic login pop-up after first failed login attempt
Date Wed, 19 Oct 2005 12:36:11 GMT
>>  hmm. Not sure that this will help. The 401 ErrorDocument is only
>> displayed, when I finally press the "cancel" button on the login
>> pop-up.  I can do an infinite number of failed logins before without
>> getting the ErrorDocument displayed.
>No, in fact, the ErrorDocument is delivered to the browser
>immediately.  It is the browser that looks at it, observes the 401
>error code, and displays a password prompt rather than the document
>itself.  So by sending a code other than 401, you will prevent the

 thanks. just learned something new :-)
>By the way, this whole discussion is premised on the assumption that
>your original use of FakeBasicAuth is correct.  I wouldn't be at all

 The use is correct, I believe. It is even documented that way. Just my
use-case may be wrong :-)

>surprised if there was a better way of enforcing certificate use to

 It is not about enforcing certificate use. That works fine as it is.
What I need/want are additional restrictions on the individual

>prevent this whole problem.  But I don't have enough ssl knowledge
>to say.

 Looking at the documentation, there are two ways to achieve what I
want. One is using the "FakeBasicAuth" method, the other is to
formulate my filter using complex SSLRequire statements.

 FakeBasicAuth has the advantage of not requiring changes to the httpd
configuration files and not needing to restart the server. Just edit
the password file if you want to add or delete recognized sertificates.
The disadvantages are the 401 problem I see and the feeling that
something called FakeSomething may be a hack :-)

 The SSLRequire method has the advantage that it would do what I want
without the 401 problem. The disadvantages are that you need to edit
the config files, that you need to restart the server and that the
SSLRequire statements can get very complex if you want to deal with
more than a handful of certificates.

 Now, over the weekend I actually solved my problem by hacking up the
mod_auth code to return HTTP_FORBIDDEN instead of HTTP_UNAUTHORIZED. I
even added a new directive AuthTolerant in order to control the
behaviour. If somebody is interested in the diffs, I am happy to supply


Martin Knoblauch
email: k n o b i AT knobisoft DOT de

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message