www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: config/315: <LIMIT> causes two password queries unless given fqdn.
Date Sun, 06 Apr 1997 18:23:30 GMT
There is no way for apache (or any web server) to know what domain a
user's client uses to resolve unqualified addresses.  This is a
client-side issue... not only does it mess up www-authentication, it
breaks any cookie code if you use it.  You'll have to train your users to
use FQDNs or have a link somewhere that takes them into your authenticated
hierarchy using a FQDN. 

In your case it might also be that your 403 errordoc requires auth...
which of course is problematic :)


On Fri, 4 Apr 1997, Joanna Gaski wrote:

> >Number:         315
> >Category:       config
> >Synopsis:       <LIMIT> causes two password queries unless given fqdn.
> >Confidential:   no
> >Severity:       non-critical
> >Priority:       medium
> >Responsible:    apache (Apache HTTP Project)
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   apache
> >Arrival-Date:   Fri Apr  4 12:20:02 1997
> >Originator:     jgaski@wpi.edu
> >Organization:
> apache
> >Release:        1.2b7
> >Environment:
> Digital Unix 4.0B, cc compiler
> >Description:
> This problem occurs when using the new "satisfy any" match ability for .htaccess
> files. Using this .htaccess file in /info/test:
> <Limit GET>
> satisfy any
> order deny,allow
> deny from all
> allow from bert.wpi.edu
> Authname test
> AuthType Basic
> AuthUserFile /www/docs/info/test/passwd
> require valid-user 
> errordocument 403 http://www.wpi.edu/Stratplan/sorry.html
> </Limit>
> When a request is made for the page from another domain, Netscape queries the
> user twice for their password, UNLESS the URL for the requested page contains
> the server's fully qualified domain name, with the domain in all caps. In this
> case, the user is only queried once. 
> >How-To-Repeat:
> No, because you aren't in our password file. It should be easy to recreate
> on another system.
> >Fix:
> It may be that the time it takes the webserver to qualify the domain name is
> causing the problem. Another clue would be that the two password validation
> boxes are different sizes, meaning that they are generated in different parts
> of the code. Sorry can't help more
> >Audit-Trail:
> >Unformatted:

View raw message