Hi, Jean-Michel: the "official" way to retrieve the remote user name under
Basic Authentication is to call for $r->connect->user(), or $r->user() in
mod_perl 2.0, I think. With a ticket authentication, one gets the user name
in the same way only AFTER the access control phase, because it is simulated
from the ticket, see e.g. my Apache::CookieAccess source at
modperl.home.att.net. BTW, for me, Basic Authnetication is not that ugly, it
is surpringly stable (than most of other Apache ideas) since day one.
Peter Bi
----- Original Message -----
From: "Jean-Michel Hiver" <[EMAIL PROTECTED]>
To: "Peter Bi" <[EMAIL PROTECTED]>
Cc: "Jean-Michel Hiver" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, June 30, 2002 12:20 PM
Subject: Re: Optional HTTP Authentication ?
> On Sun 30-Jun-2002 at 10:47:26AM -0700, Peter Bi wrote:
> > Please check that the idea of this kind of authentication is to encrypt
the
> > ticket, instead of a plain session ID. If cookie is not available,
having
> > it on URI is a good idea. (Then one needs to have all links in a
relative
> > manner; see the Cookbook). Cookie itself does not make a secure session
ID
> > or a secure ticket. It is the encryption that does.
>
> I *CANNOT* use cookies nor URIs for any kind of session tracking.
> Otherwise I don't think I would have posted this message to the list in
> the first place :-)
>
> I agree that HTTP Basic authentication is totally and uterly ugly, but I
> am going to have to stick with it no matter what... My problem is:
>
> How do I tell apache to set the $ENV{REMOTE_USER} variable if the
> browser sent the credentials, or leave $ENV{REMOTE_USER} undef
> otherwise, without sending a 401 back.
>
> Cheers,
> --
> IT'S TIME FOR A DIFFERENT KIND OF WEB
> ================================================================
> Jean-Michel Hiver - Software Director
> [EMAIL PROTECTED]
> +44 (0)114 255 8097
> ================================================================
> VISIT HTTP://WWW.MKDOC.COM
>
