Mailing-List: contact modules-dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: modules-dev@httpd.apache.org
Received-SPF: pass (nike.apache.org: domain of mmwaldman@nyc.rr.com designates
 71.74.56.122 as permitted sender)
From: "Michele Waldman" <mmwaldman@nyc.rr.com>
To: <modules-dev@httpd.apache.org>
Subject: RE: mod_auth_digest
Date: Fri, 10 Apr 2009 19:39:40 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
thread-index: Acm6MRCDaRpmrHHaSFS0C/r1o6eeIwAAnU6AAAAyFQA=
In-Reply-To: <20090410232539.FYXM19377.hrndva-omta04.mail.rr.com@DeJaVu>
Message-Id: <20090410233938.KTNB24447.hrndva-omta02.mail.rr.com@DeJaVu>

Ok.  Cool.  I'm seeing the subsequent calls.  For some reason, I didn't
think I was before.

O.k.  So, here's what I'm up to.  After the user is logged into a realm,
when Safari and Chrome, try to call via ajax the page with a new
user/password, but it seems apache is returning the previous authentication.
What I'm trying to figure out is if the new user/password is indeed being
sent.  If so, I want to force a new authentication, but only if the user is
logged in and the Require restrict user_name (particular user) is the user
specified.  I've already implemented the Require restrict.  Now, I'm going
to see if I can force reauthentication in this case.

As you may remember, I modified mod_auth_digest to authenticate against
mysql.

If this works then I can get Rest Based Authentication to work for Safari
and Chrome.  I probably won't work tonight, so hopefully I'll know by
tomorrow afternoon sometime.  Rest Based Aunthentication already works for
FF and IE.  If Firefox, IE, Chrome and Safari work, then a few more may,
too.

Opera can not be logged in to with Ajax as far as I can tell, so Opera is
out with this implementation, regretably.

I'm hoping this works as a viable htaccess security option, at least for me.

No one else seems to be interested other than the author of the webpage on
Rest Based Authentication.

Margaret Michele Waldman
Sovereign Sites L.L.C.
Website Development
646-861-3375
Rule your domain ...

-----Original Message-----
From: Michele Waldman [mailto:mmwaldman@nyc.rr.com] 
Sent: Friday, April 10, 2009 7:26 PM
To: modules-dev@httpd.apache.org
Subject: RE: mod_auth_digest

Reply.  I put print statements in the mod_auth_digest file to see values.

I didn't see subsequent call, but I forgot to check the timestamps.

I'll look again.

Thanks.

Margaret Michele Waldman
Sovereign Sites L.L.C.
Website Development
646-861-3375
Rule your domain ...

-----Original Message-----
From: Ray Morris [mailto:support@bettercgi.com] 
Sent: Friday, April 10, 2009 7:06 PM
To: modules-dev@httpd.apache.org
Subject: Re: mod_auth_digest

    You won't see anything special on the Apache 
side, I don't think.

   I believe the only difference between the 
first authentication and subsequent requests 
is that the browser (hopefully) sends the 
user/pass with each request, so there is no 
need for Apache to return a 401, causing the 
clinet to pop up the authentication dialog 
and re-request the page with the authentication
info the secodn time around.
--
Ray B. Morris
support@bettercgi.com

Strongbox - The next generation in site security:
http://www.bettercgi.com/strongbox/

Throttlebox - Intelligent Bandwidth Control
http://www.bettercgi.com/throttlebox/

Strongbox / Throttlebox affiliate program:
http://www.bettercgi.com/affiliates/user/register.php


On 04/10/2009 04:33:23 PM, Michele Waldman wrote:
> Does anyone know?
> 
> After a browser calls a page authenticated with mod_auth_digest, what
> function or hook is called the next time the page is accessed.
> 
> I figure it has to authenticate each time, but it's probably using a
> short
> cut to reauthenticate.  I want to intervene but I'm not sure what's
> getting
> called on subsequent page accesses.
> 
> Thanks,
> 
> Michele
> 
>