On Wed, 21 Jun 2000, Blue wrote:
> On Wed, 21 Jun 2000, J. J. Horner wrote:
>
> > For that reason, my handler can't rely on browsers to behave during the
> > Authentication phase. I am going to have to find a way to force a user to
> > input his password into the browser not using standard HTTP response
> > codes.
>
> Could you elaborate on that a little more, please?
When a browser is sent a 401 response code, it checks its password cache
for a password for that REALM, and , if found, sends it. If it isn't
found, it requests one from the user. IE 4.x never wants to ask the user
for that, if it has one in its cache, even if the server sends a 401
response back again. It appears to keep trying a few times.
Under netscape, if I want a browser to pop another dialogue box (say a
user has a valid password/uid pair, but I'm trying to force him to input
it again), I can send back the 401 error and if the user doesn't cancel
out, everything is fine. If the user cancels the dialogue, goes somewhere
else, and then comes back, he can get it without submitting a username and
password again.
What I will have to do, I guess, will be to write a mod_perl handler to
allow a CGI script to step in at the Authentication phase, request the
users password again, in an html form, check that password against the
password returned with $r->get_basic_auth_pw and if the check returns
true, send back the document originally requested.
I am trying to find a way to spawn a subrequest so that the user can click
a link, get the "Please verify password" page, then go on to what he
requested.
Does this clear it up?
--
J. J. Horner
Apache, Perl, Unix, Linux
[EMAIL PROTECTED] http://www.knoxlug.org/
