Thanks Andre, Mike, Eric and Nick... I will read up on authentication so
I can better grasp it!!
André Warnier wrote:
Jeff Sherk Forerunner Ministries wrote:
When requiring a username & password with AuthType Basic, is it
possible to include them in a POST or GET request to the server so
that it won't ask for them (because they were provided)?
If it's possible, what variable names are assigned to them.
Jeff,
I believe you have a bit more studying to do in terms of HTTP
authentication scriptures.
I recommend to you the following on-line documents, in that order :
a) http://en.wikipedia.org/wiki/Basic_access_authentication
b) http://httpd.apache.org/docs/2.2/howto/auth.html
c) http://tools.ietf.org/html/rfc1945#section-11.1
The truth is in there. Unfortunately, these documents can be a bit
hermetic to the non-initiated, so here is a short introduction :
On a webserver, you usually define different areas containing
documents, and corresponding URLs to access them.
In Apache, these areas and URLs correspond more or less to
configuration sections such as <Directory> and <Location>.
(You can also use a .htaccess file inside of the directory itself, but
that is frowned upon if you have access to the main webserver
configuration).
If you want to protect access to such a Directory or Location, you can
specify rules, as described in (b) above.
For the "basic" type of authentication, ("AuthType Basic"), the
parameter : "AuthName xxxxxxxxxxxx" is also very important.
You can have different server areas which are covered by the same
"AuthName". This is like in a building, you could have different
rooms marked "Prophets Only", while other rooms are marked "Mere
Converts OK".
As soon as one has authenticated for one of the "Prophets Only" areas,
he is allowed to access any other room marked "Prophets Only", without
needing to supply his credentials again.
The way it works, is that a browser "remembers" that it has already
accessed one of the "Prophets Only" areas previously within the same
browser session.
So when he accesses a new area, when the server responds that for this
one, one needs a "Prophets Only" authentication, the browser just
looks in its cache to see if it already has one of those, and if yes,
it re-issues the same request again, without user intervention, but
this time with the appropriate request header providing his "Prophets
Only" authentication credentials.
This all happens automatically, without the user even noticing.
It is only the first time that the browser accesses a "Prophets Only"
area, that it does not find this in its cache, and has to ask the user
to provide a user-id and password.
So, to get back to your original question above :
- you do not need to do anything special to get this behaviour, other
than making sure that the different areas of your server which you
want to be covered by the /same/ credentials, use the /same/
"AuthName" value.
- there are no "variables" assigned to this. It happens via HTTP
headers which the browser automatically adds to the request, when
applicable.(*)
Now I suggest that you re-read document (b) above once more, hoping
that with this short overview it will now be more accessible.
(*) This is not entirely true. It is generally the case, when a
request has been "authenticated" by Apache, that a script running
under Apache can access the authenticated user-id assigned to this
request.
To see how however, you will have to consult yet more documentation,
depending on the programming language these scripts are written in.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org