but DECLINED is almost certainly a bad idea.
What was the idea behind return DECLINED if $r->is_inital_req; in auth handlers in the first place?
I think it stems from the Eagle book, thus from Doug, but I'm not sure - I can't remember exactly. it was probably an attempt to reduce overhead for subrequests when authentication is expensive (say, a DB query) and you don't really care about whether lookups are authenticated or not.
I tried to word it carefully in the book, saying using it depends on what you want to do in your application. clearly if you want to depend on proper authentication for lookups, then you don't want to use is_initial_req() logic at all. it wasn't until after it was too late that I realized DECLINED is problematic. my own particular problem with it was with the subrequests that mod_dir makes - IIRC, on a protected directory returning DECLINED on the subrequest really mucks things up.
HTH
--Geoff
