On Sun 30-Jun-2002 at 10:47:26AM -0700, Peter Bi wrote: > Please check that the idea of this kind of authentication is to encrypt the > ticket, instead of a plain session ID. If cookie is not available, having > it on URI is a good idea. (Then one needs to have all links in a relative > manner; see the Cookbook). Cookie itself does not make a secure session ID > or a secure ticket. It is the encryption that does.
I *CANNOT* use cookies nor URIs for any kind of session tracking. Otherwise I don't think I would have posted this message to the list in the first place :-) I agree that HTTP Basic authentication is totally and uterly ugly, but I am going to have to stick with it no matter what... My problem is: How do I tell apache to set the $ENV{REMOTE_USER} variable if the browser sent the credentials, or leave $ENV{REMOTE_USER} undef otherwise, without sending a 401 back. Cheers, -- IT'S TIME FOR A DIFFERENT KIND OF WEB ================================================================ Jean-Michel Hiver - Software Director [EMAIL PROTECTED] +44 (0)114 255 8097 ================================================================ VISIT HTTP://WWW.MKDOC.COM