You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by "J. J. Horner" <jh...@2jnetworks.com> on 2000/06/21 21:02:44 UTC
PerlAuthenHandler and browsers
After working with 4 different types of browsers and the
PerlAuthenHandler, I am really unimpressed with browser makers.
There are so many ways to convince browsers to resend a username password
pair.
For that reason, my handler can't rely on browsers to behave during the
Authentication phase. I am going to have to find a way to force a user to
input his password into the browser not using standard HTTP response
codes.
What is a reliable way to return a CGI script, and doing something with
that response, before returning the page requested by the user?
JJ
--
J. J. Horner
Apache, Perl, Unix, Linux
jhorner@knoxlug.org http://www.knoxlug.org/
Re: PerlAuthenHandler and browsers
Posted by "J. J. Horner" <jh...@2jnetworks.com>.
On Wed, 21 Jun 2000, Blue wrote:
> On Wed, 21 Jun 2000, J. J. Horner wrote:
>
> > For that reason, my handler can't rely on browsers to behave during the
> > Authentication phase. I am going to have to find a way to force a user to
> > input his password into the browser not using standard HTTP response
> > codes.
>
> Could you elaborate on that a little more, please?
When a browser is sent a 401 response code, it checks its password cache
for a password for that REALM, and , if found, sends it. If it isn't
found, it requests one from the user. IE 4.x never wants to ask the user
for that, if it has one in its cache, even if the server sends a 401
response back again. It appears to keep trying a few times.
Under netscape, if I want a browser to pop another dialogue box (say a
user has a valid password/uid pair, but I'm trying to force him to input
it again), I can send back the 401 error and if the user doesn't cancel
out, everything is fine. If the user cancels the dialogue, goes somewhere
else, and then comes back, he can get it without submitting a username and
password again.
What I will have to do, I guess, will be to write a mod_perl handler to
allow a CGI script to step in at the Authentication phase, request the
users password again, in an html form, check that password against the
password returned with $r->get_basic_auth_pw and if the check returns
true, send back the document originally requested.
I am trying to find a way to spawn a subrequest so that the user can click
a link, get the "Please verify password" page, then go on to what he
requested.
Does this clear it up?
--
J. J. Horner
Apache, Perl, Unix, Linux
jhorner@knoxlug.org http://www.knoxlug.org/
Re: PerlAuthenHandler and browsers
Posted by Blue <bl...@calico.gator.net>.
On Wed, 21 Jun 2000, J. J. Horner wrote:
> For that reason, my handler can't rely on browsers to behave during the
> Authentication phase. I am going to have to find a way to force a user to
> input his password into the browser not using standard HTTP response
> codes.
Could you elaborate on that a little more, please?
>
> What is a reliable way to return a CGI script, and doing something with
> that response, before returning the page requested by the user?
>
> JJ
>
>
--
Blue Lang Unix Systems Admin
QSP, Inc., 3200 Atlantic Ave, Ste 100, Raleigh, NC, 27604
Home: 919 835 1540 Work: 919 875 6994 Fax: 919 872 4015