Re: cvs commit: httpd-2.0/modules/aaa mod_auth_digest.c

Mon, 12 Jul 2004 13:59:41 -0700 


[EMAIL PROTECTED] wrote:
> pquerna     2004/07/10 00:47:23
> 
>   Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES STATUS
>                modules/aaa Tag: APACHE_2_0_BRANCH mod_auth_digest.c
>   Log:
>   Backport of AuthDigestEnableQueryStringHack
>   Needs a doc update to explain what it does.

something like the attached?  corrections, tweaks, or other feedback welcome.

--Geoff


Index: mod_auth_digest.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_auth_digest.xml,v
retrieving revision 1.5.2.8
diff -u -r1.5.2.8 mod_auth_digest.xml
--- mod_auth_digest.xml	17 Apr 2004 18:43:37 -0000	1.5.2.8
+++ mod_auth_digest.xml	12 Jul 2004 14:16:11 -0000
@@ -72,7 +72,9 @@
     browsers. As of November 2002, the major browsers that support digest
     authentication are <a href="http://www.opera.com/";>Opera</a>, <a
     href="http://www.microsoft.com/windows/ie/";>MS Internet
-    Explorer</a> (fails when used with a query string), <a
+    Explorer</a> (fails when used with a query string - see the
+    <directive module="mod_auth_digest">AuthDigestEnableQueryStringHack
+    </directive> option below for a workaround), <a
     href="http://www.w3.org/Amaya/";>Amaya</a>, <a
     href="http://www.mozilla.org";>Mozilla</a> and <a
     href="http://channels.netscape.com/ns/browsers/download.jsp";
@@ -81,6 +83,36 @@
     in controlled environments.</p>
     </note>
 </section>
+
+<section id="msie"><title>Working with MS Internet Explorer</title>
+    <p>The Digest authentication implementation in current Internet
+    Explorer implementations has known issues, namely that <code><GET</code>
+    requests with a query string are not RFC compliant.  There are a
+    few ways to work around this issue.</p>
+
+    <p>
+    The first way is to use <code>POST</code> requests instead of
+    <code>GET</code> requests to pass data to your program.  This method
+    is the simplest approach if your application can work with this
+    limitation.
+    </p>
+
+    <p>Apache also provides a workaround in the
+    <code>AuthDigestEnableQueryStringHack</code> environment variable.
+    If <code>AuthDigestEnableQueryStringHack</code> is true for the
+    request, Apache will take steps to work around the MSIE bug and
+    remove the request URI from the digest comparison.  Using this
+    method would look like similar to the following.</p>
+
+    <example><title>Using Digest Authentication with MSIE:</title>
+    BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
+    </example>
+
+    <p>See the <directive module="mod_setenvif">BrowserMatch</directive>
+    directive for more details on conditionally setting environment
+    variables</p>
+</section>
+
 
 <directivesynopsis>
 <name>AuthDigestFile</name>

Reply via email to