However, if the structure were
http://bigmegamarket.com/index.pl/56765454151/grocery/fruits/bananas,
say, with the number being the session ID, the URL then is hackable
within that (good) definition.
Yes, however there are quite a number of issues with bookmarks and
search engines... But
browser sent the credentials, or leave $ENV{REMOTE_USER} undef
otherwise, without sending a 401 back.
I didn't think a browser would send authentication unless the server
requested it for an authentication domain. How are you going to
get some people to send the credentials and some
From: Jean-Michel Hiver [EMAIL PROTECTED]
Oh but I have that already. I know that I need to password protect
/properties.html
/content.html
/move.html
/foo/properties.html
/foo/content.html
/foo/move.html
etc...
Is it possible to password-protect a class of URIs using regexes? That
On Mon, Jul 01, 2002 at 10:30:36AM +0100, Jean-Michel Hiver wrote:
browser sent the credentials, or leave $ENV{REMOTE_USER} undef
otherwise, without sending a 401 back.
I didn't think a browser would send authentication unless the server
requested it for an authentication domain.
Thanks to the list and two days of hard work, I have my optional HTTP
authentication thingie working :-)
Basically here is how it looks in my apache config file:
# This method handler ensures that users must enter their credentials
# for any URI which looks like /foo/bar/login.html
Hi there,
On 30 Jun 2002, Randal L. Schwartz wrote:
What? The EU is going to make cookies *illegal*? I highly doubt this.
There is already EU legislation which might make the use of cookies suspect.
It concerns, for example, the monitoring of individual keyboard operators
to measure their
Jean-Michel Hiver [EMAIL PROTECTED] writes:
However, if the structure were
http://bigmegamarket.com/index.pl/56765454151/grocery/fruits/bananas,
say, with the number being the session ID, the URL then is hackable
within that (good) definition.
Yes, however there are quite a number
This seems a little off topic. I think this is an architecture question, not
a mod perl question.
Well, a bit of both I guess.
Basically, you want all you protected files to be located in /protected or
some other directory...
No that is not possible. I am running a web application, there
Oh, I don't know, I think the poster was asking about how to produce this
effect with mod_perl. He wants to know *whether* a login was provided, even
on a *non-protected* page. That would let you say (while serving any old
page):
if( $ENV{REMOTE_USER} eq 'admin' ) {
$r-print('Yo,
It seems that Apache::AuthCookie allows a way to make areas
to which one can authenticate if s/he wants. I suppose that
then in those areas you can tell if the user is logged in
and affect the pages if so.
Indeed the best option would be to be using one of the Apache::Session
module and
Jean-Michel == Jean-Michel Hiver [EMAIL PROTECTED] writes:
Jean-Michel * For political reasons and compliance with future european legislation
Jean-Michel I cannot use cookies,
What? The EU is going to make cookies *illegal*? I highly doubt
this.
Jean-Michel * For usability reasons
What? The EU is going to make cookies *illegal*? I highly doubt
this.
Sorry, I am neither the lawyer nor the client, so I can't tell you...
I know it's really stupid, but I am going to have to deal without
cookies.
Jean-Michel * For usability reasons encoding session IDs on URIs would be
:07 AM
Subject: Re: Optional HTTP Authentication ?
What? The EU is going to make cookies *illegal*? I highly doubt
this.
Sorry, I am neither the lawyer nor the client, so I can't tell you...
I know it's really stupid, but I am going to have to deal without
cookies.
Jean-Michel
On Sun 30-Jun-2002 at 10:47:26AM -0700, Peter Bi wrote:
Please check that the idea of this kind of authentication is to encrypt the
ticket, instead of a plain session ID. If cookie is not available, having
it on URI is a good idea. (Then one needs to have all links in a relative
manner; see
In one of the earlier stages of processing - maybe a FixupHandler or ? a
AuthenHandler might be appropriate - you can do something like this:
my $a = $r-header_in('Authorization');
$a =~ s/^Basic (.*)/$1/;
my( $user, $pass ) = split(':', decode_base64( $a ) );
if( check the
Jean-Michel Hiver [EMAIL PROTECTED] writes:
Why is a user hacking their URLs?
I can answer that. http://www.useit.com/alertbox/990321.html
cite
* a domain name that is easy to remember and easy to spell
* short URLs
* easy-to-type URLs
* URLs that visualize the site
Bi [EMAIL PROTECTED]
Cc: Jean-Michel Hiver [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Sunday, June 30, 2002 12:20 PM
Subject: Re: Optional HTTP Authentication ?
On Sun 30-Jun-2002 at 10:47:26AM -0700, Peter Bi wrote:
Please check that the idea of this kind of authentication is to encrypt
From: Jean-Michel Hiver [EMAIL PROTECTED]
I *CANNOT* use cookies nor URIs for any kind of session tracking.
Otherwise I don't think I would have posted this message to the list in
the first place :-)
I agree that HTTP Basic authentication is totally and uterly ugly, but I
am going to
18 matches
Mail list logo