André Warnier wrote:
Tosh Cooey wrote:
...
Hi.
Does your login form page contain links to other things (for example,
images), which are also located in the /berlin/ area, or in other
directories/locations protected by the same authentication ?
A bit of explanation, as a complement :
I have not looked at the code of the Auth module you are using, but
usually, these modules are smart enough to skip authentication (and
return OK) when the call is made internally from within Apache, as a
sub-request.
What these modules cannot do however, is skip authentication for
multiple calls made from the browser at (about) the same time.
In other words :
- suppose your login page itself, contains a link like
<img src="/berlin/images/mylogo.gif" />.
- You ask for a protected page. The server auth module notices that it
is protected, and that there is no authentication cookie, so it sends
the login page to the browser. When the browser sees the above link in
this login page, it immediately issues another request for that image.
The server now gets another request, and notices that it is for an
object in a protected area. But it has still not received an
authentication cookie yet with that request. So it sends back the login
page...
Get it ?
The same applies for any links to stylesheets e.g.
You also get similar apparently bizarre behaviour, when the original
page requested is a frame document, with several frames residing in
protected areas. You would then get bits of login pages in each frame,
which looks ugly..
The solution to the above is either to move the image to a directory
that is not submitted to this authentication, or to tell the
authentication module - if it provides such an option - to skip
authentication for images e.g.
A browser plugin like HttpFox (for Firefox) or Fiddler2 (For IE) helps a
lot in tracking down this kind of issue.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
