httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "mdn teo" <>
Subject Re: [users@httpd] Basic Auth Login Retries
Date Fri, 22 Aug 2008 12:54:35 GMT
  This is why I want to redirect browsers after the first failed login, when
they get 401:

Following this howto: i
setup authentication to my secure area, I used a configuration like the
"howto", I wrote my subjectDN in the "httpd.passwd" with the defined
password, and everything works fine.

SSLVerifyClient      none
<Directory /usr/local/apache2/htdocs/secure/area>
SSLVerifyClient      require
SSLVerifyDepth       5
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLCACertificatePath conf/ssl.crt
SSLOptions           +FakeBasicAuth
AuthName             "Snake Oil Authentication"
AuthType             Basic
AuthUserFile         /usr/local/apache2/conf/httpd.passwd
require              valid-user

 /C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
<my subject DN >:xxj31ZMTZzkVA

If my SubjectDN is present in the file "httpd.passwd", access is granted,
while if the my SubjectDN is not in the "httpd.passwd" file, I am prompted
for username and password, as the browser gets a 401 http-status.
I think this is misleading for users, as they are accessing the area with
their certificate, and whether somebody has been disabled (i.e. deleted form
the httpd.passwd), or has no rights for a defined area, he gets a
user-password prompt and the "authorization required" page after "n"
attempts, depending on the browser configuration. I know the disabled user
won't have access anyway, but I am wondering if there is a way to skip this
or to provide a 403 http-status instead of 401.

>  --------- Forwarded message ----------
> From: André Warnier <>
> Date: Tue, Aug 12, 2008 at 5:54 PM
> Subject: Re: [users@httpd] Basic Auth Login Retries
> To:
> Krist van Besien wrote:
>> On Mon, Aug 11, 2008 at 11:56, mdn teo <> wrote:
>> But how can I force to skip login retries?
>>> I tried to set a custom 401 error page, redirecting to another page, but
>>> it
>>> redirects just after the "n" login attempts.
>>> I'd like to find a way to force the redirect to another page after the
>>> first
>>> failed login for all browsers.
>> You can't do this easily, because of the way http authentication works.
>> Basically a browser will always first request a password protected
>> page without authentication details, and your server must always react
>> to that with a 401. (or the user won't get a chance to authenticate)
>> When a browser gets a 401 response it will prompt the user for a
>> username and password, and retry the request, this time with an
>> authentication header added. This for a number of times, set in the
>> browser.
>> What you want, is for your server  to serve a 403 when a request comes
>> in for a page with an authentication header already set, but with the
>> wrong authentication data in the header. I don't think you can do this
>> in an easy way, as apache itself will reply with a 401 as soon as
>> authentication fails. the only possible solution I see is to program a
>> custom authentication module (possibly in Perl)
>> Krist
>> First, what Krist wrote above is totally correct.
> The following is just my own way of saying essentially the same thing.
> To do what you want to achieve :
> a) you would need to really understand how http authentication works, and
> understand that it is not specific to Apache : all httpd servers and
> browsers work in the same way, so it is not easy to change.
> b) you would need to write (or have someone write for you) your own custom
> authentication mechanism and integrate it into Apache.
> And yes, it could certainly be done using mod_perl.
> But it is not totally trivial, because it has to be done in a way that does
> not confuse the browser nor Apache about what is going on.
> So, you need to think hard about how much this is worth to you, and if it
> justifies the effort.
> Also, considering your problem in a top-down fashion, you should know that
> the Basic Authentication mechanism built into Apache and the browser, is not
> the only way in which one can authenticate to an Apache server using a
> user-id and password.  Other methods exist which would look similar to your
> users, be more secure, and in addition could do essentially what you want
> (the login page the first time, defaulting to something else in case of
> wrong userid/password).
> For example, have a look at this :
> André
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>  "   from the digest:
> For additional commands, e-mail:

View raw message