> <untested> > > I think you might need to iterate through $r->err_headers_out and > remove WWW-Authenticate and Proxy-Authenticate after each > authentication module runs. > > say you have an AuthSMB and AythSybase chain. AuthSMB calls > note_basic_auth_failure and sets the WWW-Authenticate header, > AuthSybase succeeds and sets the Authorizaion header. in this case, > both WWW-Authenticate and Authorization will be passed to the browser > (I think), which could lead to spurious results in some browsers. > > </untested>
or not. the browser sends the Authorization header, last I checked :) at any rate, I think my thoughts were headed somewhere. you might end up with a popup box on every request or something if every request ends up with a WWW-Authenticate header. it at least warrants a test I would think. the return code part is probably valid, though. anyway, I swear to start thinking before I type from now on... --Geoff