The Sapphire Cat wrote: > > Documentation for these functions reads as follows: > > $r->get_basic_auth_pw > If the current request is protected by Basic authentication, this > method will return 0, otherwise -1. [snip]
ok, that's unclear (and not 100% correct, either). I'd change it to: If the current request is protected by Basic authentication, this method will return OK. Otherwise, it will return a value that ought to be propagated back to the client (typically AUTH_REQUIRED). > > $r->note_basic_auth_failure > Prior to requiring Basic authentication from the client, this method > will set the outgoing HTTP headers asking the client to authenticate > for the realm defined by the configuration directive `AuthName'. this looks fine as a high-level overview. > > Experiments have shown that in an AuthenHandler, get_basic_auth_pw > will return AUTH_REQUIRED if the request is protected and the client > did not send credentials. Furthermore, note_basic_auth_failure seems > to have no effect on the realm name. [snip] > So what does > note_basic_auth_failure *really* do? it really does pretty much what it says, it's just that you are misunderstanding it :) note_basic_auth_failure sends the WWW-Authenticate header back to the client, using the value set in httpd.conf for AuthName. this ought to signify that the requested resource requires user credentials for the specified realm - what the client chooses to do with that information is up to the client, but most know how to implement Basic authentication by now :) you really need to look at the headers involved in this multi-step process to understand what's going on. (or see recipe 13.3 ;) > > Finally, I want to fix the get_basic_auth_pw documentation. Where > should patches go for that, and in what format? send a unified diff of Apache.pm (based on the CVS version) to [EMAIL PROTECTED] if you agree with the above changes, I'll submit it for you if you want. --Geoff