Sorry, i should have mentioned that. Yes, i have done it from a fresh browser session, and to make sure, i had even tried it on a different computer that had never actually athenticated before. So this computer was somehow accessing this secure site without ever having been sent the credentials.
----- Original Message ----- From: "Owen Boyle" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 11, 2002 10:35 PM Subject: Re: problem with SSL authentication > > David wrote: > > > > My website is a https website using mod_ssl : > > Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6 > > DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 > > > > This is what i have in my access.conf : > > > > <Directory /path/to/directory/secure> > > AuthName https://name.of.my.website/secure > > AuthType Basic > > AuthUserFile /path/to/password/file > > Require valid-user > > </Directory> > > > > Here is the problem. When i click a link to a page in the directory, > > i come up with my login screen popup. If i type the right > > username/password pair, it will display the page, if i dont, it comes > > up with a 403 error-forbidden. This is all fine. However, i was > > extremely surprised to realise that if i fail the connection to > > receive the 403 error, i can click the back button in the browser, > > then the forward button, and get the page...even tho i still havent > > even authenticated yet!!! I am assuming that I am doing something > > stupid, but i cant seem to guess what that might be. > > Are you sure it does this on a first-time login with a clean browser, > before you *ever* authenticate? > > Remember that if you login even once, your browser will cache the > username/password and use it automatically for any subsequent requests > in the protected realm (that is how you only have to authenticate once > and can navigated about in a protected realm)> > > Rgds, > > Owen Boyle. > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
