On Sun 30-Jun-2002 at 10:47:26AM -0700, Peter Bi wrote:
> Please check that the idea of this kind of authentication is to encrypt the
> ticket, instead of a plain session ID. If cookie is not available, having
> it on URI is a good idea. (Then one needs to have all links in a relative
> manner; see the Cookbook). Cookie itself does not make a secure session ID
> or a secure ticket. It is the encryption that does.
I *CANNOT* use cookies nor URIs for any kind of session tracking.
Otherwise I don't think I would have posted this message to the list in
the first place :-)
I agree that HTTP Basic authentication is totally and uterly ugly, but I
am going to have to stick with it no matter what... My problem is:
How do I tell apache to set the $ENV{REMOTE_USER} variable if the
browser sent the credentials, or leave $ENV{REMOTE_USER} undef
otherwise, without sending a 401 back.
Cheers,
--
IT'S TIME FOR A DIFFERENT KIND OF WEB
================================================================
Jean-Michel Hiver - Software Director
[EMAIL PROTECTED]
+44 (0)114 255 8097
================================================================
VISIT HTTP://WWW.MKDOC.COM
