You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by António Mota <am...@gmail.com> on 2006/10/02 22:40:05 UTC
[users@httpd] Force authentication
Hello:
I'm trying to do some basic authentication that checks for user
existence on every request, something like this:
1) User asks page
2) Server answer with a 401
3) Browser ask for User id/pwd
4) Browser sends User id/pwd
5) Server looks into user file if user id/pwd exists
so far so good, but i was expecting that steps 4) and 5) will repeat
for every request from the Browser from now on. But it seems that does
not happen.
I have my user file updated by a external application (at the moment
it's me updating manually between requests) so i expected that if i
deleted the user id/pwd from the file between subsquent 4) - 5) the
server will detect that the user id was not on the file anymore and
ask again for a user id/pwd or signal the browser of invalid
credencials.
But that doesen´t happen, it seems step 5) isn't executed anymore
(unless i clear the TTP Authentication ofcourse).
Am i doing something wrong, or assuming something i shouldn't? Could
be that the user file get's cached after the first check? If so how
can i un-cache it?
Any ideas?
Thanks.
--
Melhores cumprimentos / Kind regards
António Santos Mota
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Force authentication
Posted by António Mota <am...@gmail.com>.
Hi Nick, nive to ear from you...
I took your sugestion and look at the access.log (i wouldn't think of
that...) and i think the problem wath's not what i thought.
As you know, my Apache server is used as a proxy reverse server, and
it seems the problem is with that. Im my server i have a few pages
that are indeed atuthenticated each time i visit them.
127.0.0.1 - abcd [03/Oct/2006:13:38:07 +0100] "GET /rproxy.html HTTP/1.1" 304 -
(abc is the user)
and if i dinamically delete that user from the file next time he/she
will be asked from authentication again. That is the beahaviour i
expected.
However when i proxy-reverse to other pages the authentication is never checked
127.0.0.1 - - [03/Oct/2006:13:55:52 +0100] "GET
/url=http://www.gtinformatica.pt HTTP/1.1" 302 132
In this case, http://www.gtinformatica.pt is outside my server and
needs no authentication, but since it passes thru my server i was
expecting that it also be authenticated...
Any help on this?
Thanks a lot.
2006/10/2, Nick Kew <ni...@webthing.com>:
> On Monday 02 October 2006 21:40, António Mota wrote:
> > Hello:
> >
> > I'm trying to do some basic authentication that checks for user
> > existence on every request, something like this:
> >
> > 1) User asks page
> > 2) Server answer with a 401
> > 3) Browser ask for User id/pwd
> > 4) Browser sends User id/pwd
> > 5) Server looks into user file if user id/pwd exists
>
> Yep.
>
> > so far so good, but i was expecting that steps 4) and 5) will repeat
> > for every request from the Browser from now on.
>
> Yep. Browser remembers credentials.
>
> > But it seems that does
> > not happen.
>
> Hmm?
>
> > I have my user file updated by a external application (at the moment
> > it's me updating manually between requests) so i expected that if i
> > deleted the user id/pwd from the file between subsquent 4) - 5) the
> > server will detect that the user id was not on the file anymore and
> > ask again for a user id/pwd or signal the browser of invalid
> > credencials.
>
> What's in your access log? Either your authentication module is
> cacheing something, or (very likely) the browser is.
>
> > But that doesen´t happen, it seems step 5) isn't executed anymore
> > (unless i clear the TTP Authentication ofcourse).
>
> what do you mean by that?
>
> --
> Nick Kew
>
> Application Development with Apache - the Apache Modules Book
> http://www.prenhallprofessional.com/title/0132409674
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Melhores cumprimentos / Kind regards
António Santos Mota
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Force authentication
Posted by Nick Kew <ni...@webthing.com>.
On Monday 02 October 2006 21:40, António Mota wrote:
> Hello:
>
> I'm trying to do some basic authentication that checks for user
> existence on every request, something like this:
>
> 1) User asks page
> 2) Server answer with a 401
> 3) Browser ask for User id/pwd
> 4) Browser sends User id/pwd
> 5) Server looks into user file if user id/pwd exists
Yep.
> so far so good, but i was expecting that steps 4) and 5) will repeat
> for every request from the Browser from now on.
Yep. Browser remembers credentials.
> But it seems that does
> not happen.
Hmm?
> I have my user file updated by a external application (at the moment
> it's me updating manually between requests) so i expected that if i
> deleted the user id/pwd from the file between subsquent 4) - 5) the
> server will detect that the user id was not on the file anymore and
> ask again for a user id/pwd or signal the browser of invalid
> credencials.
What's in your access log? Either your authentication module is
cacheing something, or (very likely) the browser is.
> But that doesen´t happen, it seems step 5) isn't executed anymore
> (unless i clear the TTP Authentication ofcourse).
what do you mean by that?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.prenhallprofessional.com/title/0132409674
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org