Version: Apache/1.3.12 (Unix) mod_perl/1.24
What: PerlAuthenHandler returns headers without WWW-Authenticate field
Work-around: set with $r->err_header_out
Is this fixed in 1.25?
Description:
Modules called using the PerlAuthenHandler that eventually return
AUTH_REQUIRED, will not send clients all RFC required headers under
certain conditions.
If the client already has cached login credentials in and is sending a
cached Basic authentication token, the request looks something like
this:
GET /private/ www.foobar.com HTTP/1.1
Authorization: Basic ljkdhfoi984h0FGDH==
If you want to force the client to resend the credentials via user
input (dialog box), you can return a AUTH_REQUIRED to the apache
request. You might want to do this for timing reasons, or if the user
has changed their password, etc. If you return AUTH_REQUIRED the
headers will look something like this:
HTTP/1.1 401 Authorization Required
Date: Tue, 27 Mar 2001 00:32:11 GMT
Server: Apache/1.3.12 (Unix) mod_perl/1.24
Connection: close
Content-Type: text/html
If the client is using internet explorer (netscape doesn't seem to
care) this will *not* pop up the dialog box; instead the 401 error
document will be displayed. This is because MSIE follows the RFC (I'm
as surprised as you are :-)) which requires the server to also send
the WWW-Authenticate header. A properly formed header would look like
this:
HTTP/1.1 401 Authorization Required
Date: Tue, 27 Mar 2001 00:32:11 GMT
Server: Apache/1.3.12 (Unix) mod_perl/1.24
WWW-Authenticate: Basic realm="Alumni Database"
Connection: close
Content-Type: text/html
Note, this *only* happens when using the Perl API (PerlAuthenHandler)
and when the client is sending both a "GET/POST" and an
"Authorization" header. A vanila apache server will return
WWW-Authenticate header for a protected resource regardless of the
client request.
--
