>Number: 4023
>Category: general
>Synopsis: Location Redirects can confuse authentication
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Mon Mar 8 15:10:01 PST 1999
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3.4
>Environment:
Linux kokopelli 2.0.35 #2 Fri Nov 13 16:14:02 EST 1998 i586 unknown.
gcc version 2.8.0.
Same problem occurs with Netscape and Lynx clients.
Same problem occured with Apache 1.2.x
>Description:
I have a setup where I have two subdirectories of my cgi-bin directory each
with .htaccess files. The two .htaccess files have the same AuthUserFile, and
AuthType, but different AuthNames. (The idea is to let a person log in as
two different users simultaneously.)
I found that under some circumstances, a user who has authenticated for one
subdirectory does not get asked to reauthenticate when he accesses programs
in the other subdirectory. My guess is that this has to do with a Location
redirect from the parent directory during the first authentication maybe
causing Apache to associate the AuthName with the parent directory instead
of the subdirectory.
>How-To-Repeat:
I spent some time generating simple programs that reproduce the same bug I
first hit in my complex program. I'm not on a publically accessible server,
but it's easy enough to set up. Here's how it goes:
- Create two subdirectories under cgi-bin. Mine are called "pw" and "adm".
- Stick a copy of the "printenv" cgi program distributed with Apache in each
directory.
- Create a .htaccess file in each directory. Mine look like:
AuthUserFile <path-name>
AuthGroupFile /dev/null
AuthName PWDIR
AuthType Basic
<Limit GET POST PUT>
require valid-user
</Limit>
- Edit the .htaccess file in the "adm" subdirectory to have a different
AuthName, say "ADMDIR", but leave it with the same AuthUserFile.
- Create the AuthUserFile with at least one user in it.
At this point, you should be able to hit "cgi-bin/pw/printenv", authenticate
for that, and then hit "cgi-bin/adm/printenv" and be asked to reauthenticate.
Everything cool so far.
- Install the following script in the parent cgi-bin directory, calling it
"redirect":
#!/bin/csh
echo "Content-type: text/html"
echo "Location: /cgi-bin/pw/printenv"
echo ""
Now we are all set up. Here's the sequence of events that causes problems:
- Exit your browser and start a fresh one.
- Hit the "/cgi-bin/redirect" page. You will be asked for a login and
password. Give them. This runs cgi-bin/pw/printenv and works fine.
- Now hit "/cgi-bin/adm/printenv". This should ask for authentication, but
it doesn't. It happily runs the script without reauthenticating.
If the location redirect in the "redirect" script is done as
Location: pw/printenv
instead of
Location: /cgi-bin/pw/printenv
this seems to work OK.
Luckily it seems only the AuthName that it gets confused about. If the
second .htaccess file has a different AuthUserFile, it still looks in the
right AuthUserFile on the second hit.
If you have any trouble reproducing this, let me know. I can probably put it
somewhere public.
>Fix:
Nope.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <[EMAIL PROTECTED]> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]
