André Warnier <a...@ice-sa.com>
André Warnier wrote:
Tosh Cooey wrote:
...
Hi.
Does your login form page contain links to other things (for example,
images), which are also located in the /berlin/ area, or in other
directories/locations protected by the same authentication ?
A bit of explanation, as a complement :
I have not looked at the code of the Auth module you are using, but
usually, these modules are smart enough to skip authentication (and
return OK) when the call is made internally from within Apache, as a
sub-request.
What these modules cannot do however, is skip authentication for
multiple calls made from the browser at (about) the same time.
In other words :
- suppose your login page itself, contains a link like
<img src="/berlin/images/mylogo.gif" />.
- You ask for a protected page. The server auth module notices that it
is protected, and that there is no authentication cookie, so it sends
the login page to the browser. When the browser sees the above link in
this login page, it immediately issues another request for that image.
The server now gets another request, and notices that it is for an
object in a protected area. But it has still not received an
authentication cookie yet with that request. So it sends back the login
page...
Get it ?
Got it!
Unfortunately I'm just using the standard login page that the AUTH
module comes with, view source:
<!-- $Id: login.html,v 1.1.1.1 2003/10/10 20:13:33 jacob Exp $ -->
<FORM ACTION="/berlin/LOGIN" METHOD="POST">
<INPUT TYPE="HIDDEN" NAME="destination" VALUE="/berlin/index.pl">
Username: <INPUT TYPE="TEXT" NAME="credential_0"><BR>
Password: <INPUT TYPE="PASSWORD" NAME="credential_1"><BR>
<INPUT TYPE="SUBMIT" VALUE="Log in">
</FORM>
I'm not even classy enough to provide her with a proper <body> :)
Anyway, I'm glad I ran this by the list, at least I am reassured that
it's likely in the AUTH module and not some n00b mistake in my
httpd.conf or .htaccess :)
Maybe I'll bug the author of the module now.
Tosh
--
McIntosh Cooey - Twelve Hundred Group LLC - http://www.1200group.com/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
