How do I have a PerlAuthenHandler not popup the login box?

[Jason Fong]

I'm making a login system that uses a web form instead of the browser's
popup box to input the username/password.  My problem is that when I use
my authentication script as a PerlAuthenHandler in the .htaccess, it
insists on having the browser show the popup username/password box.  I
tried making a simple handler function that just returns OK, but I still
get the login box.

My guess is that using the PerlAuthenHandler automatically sends a
AUTH_REQUIRED to the browser so that the login box appears.

I found a solution to this by changing the PerlAuthenHandler to a
PerlAccessHandler.  Is this the correct way to avoid the login box?  Or
is there a way for a PerlAuthenHandler to not popup a login box?

authentication realms in http and https

[Jason Fong]

We recently upgraded our webserver from 
Apache 1.3.6 / modperl 1.19
to
Apache 1.3.27 / modperl 1.27

We use a .htaccess file in a directory to have a modperl script do
authentication for directory access (for downloading files, etc.).  It
also redirects the user from http to https if he does not come in
through https.

On our old server, the user would only see the browser's login box once
when he came in through http and was redirected to https.  On the new
server, however, the user has to login twice.  But if the user comes in
through https on the new server, there is only one login.

So my guess is that the new server is not treating an authentication
realm in http as the same as one in https.

So, my question is... Is this different treatment of the http/https
authentication realms something that changed in the newer version of
modperl (or possibly apache)?  Or is this something that can be changed
through configuration options?  (and also... is my analysis even
correct? :) )  Thanks!


-Jason Fong