and at the moment I see only one way to fix it reliably: Remove it from the documentation and the code.
(There's also a report w.r.t. the issue: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25725) Long version: It could not work, because the hooks where which mod_setenvif is invoked, are both called *before* any authentication is done. This is unavoidable, because one wants to use the variables, e.g. in allow/deny clauses. However, I've tried to fix it and took the same mechanism like mod_rewrite. I did an ap_sub_req_lookup_uri to r->uri and copied the rr->user from it. The point is: Because of the optimization step taken in server/request.c:213, it does not work in directory context, because -- dir_config was already merged, but auth not evaluated yet! (remember, we're still in header_parser). This means, the lookup technique works only in server context (not in htaccess) or after successful authn/z (too late). My conclusion is: (a) parse the header ourself (-1) (b) drop it entirely (+1) Any opinions? nd
