----- Original Message ----- 
From: "Martin Wickman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 21, 2003 4:41 PM
Subject: Re: [QUESTION] Can't read out verified username (auth)


> On Mon, Jul 21, 2003 at 12:36:55PM +0200, Fatih Gey wrote:
> > > On Mon, Jul 21, 2003 at 01:05:58AM +0200, Fatih Gey wrote:
> > > > 
> > > > i was writing my own AuthHandler with modperl v2 (v1.99_09).
> > > 
> > > [...]
> > > 
> > > > After having entered user/pass via html-form, this authentification
> > > > does his job well, but on the following request (on same browser)
> > > > $obj->user doesnt seem to return any value.. so this handler tries
> > > > to compare http post data ( which arent present this time) with
> > > > userdata in mysql-table.. resulting in an Auth_Required error.
> > > 
> > > Well, how do you suppose that the browser should know how and what
> > > credentials to send? 
> > > 
> > > Unless you (a) create a session-cookie, (b) encode a session-kei into
> > > each url or (c) use the simple but proper Basic Authentication scheme,
> > > there is no way to accomplish this. And from what I gather you are not
> > > doing any of that?
> > > 
> >
> > I supposed the browser to resend always an unique "bowser session
> > id", which is used by apache to save certain values, like
> > $ENV{'REMOTE_USER'} (similiar to a session-cookie with uid and
> > serverbased $vars) ..  Isn't this the way Basic Authentication
> > scheme works ? ..
> 
> Nope. When the browser gets a 401 response from the server, it will
> (most likely) pop up a dialog asking the user for name and
> password. These credentials gets mangled into an Authorization header
> which gets sent with the next request once the user klicks OK in the
> dialog. Now, you can perform your authen-code as you like.
> 
> Cookies and forms' got nothing to do with it, really.
> 
> Read more here: http://www.faqs.org/rfcs/rfc2617.html
> 
> 
> 

Oh OK.., now i get it: In Basic Auth-Scheme, the Useragent -after getting the 
required user and pass info from Client- resends his Authorization-String in every 
Requestheader
submitted to the Server. So the webserver have not to recognize an already authorized 
user,
as long as he's possible to authorize the user on every request.

So there's no way, to use an http-form instead of browser's ugly authorization-box and 
perfrom the 
Basic Authorization (without Cookies or taking an sessionkey with the url)? 





Reply via email to