> > browser sent the credentials, or leave $ENV{REMOTE_USER} undef
> > otherwise, without sending a 401 back.
>
> I didn't think a browser would send authentication unless the server
> requested it for an authentication domain. How are you going to
> get some people to send the credentials and some not unless you
> use different URLs so the server knows when to request them?
The idea is that on a "location" which requires authentication I'll
redirect the user to a /login.html, or maybe a /?login=1 which will do
the following:
IF user is authenticated => redirect to location it came from
ELSE send 401 authorization required
This way users should get a login box strictly when necessary. Almost
all the request go thru an Apache::Registry friendly CGI script:
Alias /.static /opt/chico/static
Alias / /opt/mkd/cgi/mkdoc.cgi/
Everything is treated using $ENV{PATH_INFO} in the script, and the
script knows when something needs authentication or not.
> Note that you don't have to embed session info here, just add
> some element to the URL that serves as the point where you
> request credentials and omit it for people that don't log in. Or
> redirect to a different vhost that always requires authentication but
> serves the same data.
Oh but I have that already. I know that I need to password protect
/properties.html
/content.html
/move.html
/foo/properties.html
/foo/content.html
/foo/move.html
etc...
Is it possible to password-protect a class of URIs using regexes? That
would be another good option.
Cheers,
--
IT'S TIME FOR A DIFFERENT KIND OF WEB
================================================================
Jean-Michel Hiver - Software Director
[EMAIL PROTECTED]
+44 (0)114 255 8097
================================================================
VISIT HTTP://WWW.MKDOC.COM
