Maybe, if I'm a little clearer someone might be able to point in the right direction. I don't think I need to modify mod_auth_digest, but another apache module.
What I have is a person login into htaccess using ajax. The file they access has htaccess require valid-user. The first time they log in, great. To log out, they log into a logout account. The file they access has require user logout. The next time they try to log into the account via ajax. They are granted access to the page they are calling, but remote_user is not set. I put print statements in mod_auth_digest authenticate_digest_user to see what was happening. All of the values are right, the user is authenticated, but the new user is not logged in. Apache keeps them logged into the logout account and only grants access to that one page. Does anyone know which module I should modify to force a new login? I'm thinking whichever module calls the hooks has to be modified. Is this right? It looks like I don't have to modify mod_auth_digest, which authenticates, but probably the httpd module that calls the hooks and does the actually logging in. I was looking at the module util_script.c which sets remote_user, but I'm not sure if this is the right module. I'm not terribly familiar with apache. It also just sets remote_user to r->user, which should work. I may need to look at the module that calls that ap_add_commom_vars to see if it's not being called. If this is the only module that sets the environment variable, then I think it's being skipped. I tried implementing htaccess require restrict logout. But since the new user is not logout access is granted for that page, but the account is not logged into. It seems to me if a page is accessed and granted a page in the directory with new creditials, apache would log in the new user but doesn't. M*
