You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by "J. J. Horner" <jh...@2jnetworks.com> on 2000/06/21 18:49:24 UTC
Crazy browser issues
Okay,
I'm working on a PerlAuthenHandler that returns AUTH_REQUIRED unless a
file is less than a certain number of seconds old.
I've noticed a problem:
In Netscape (and probably IE), if a handler returns AUTH_REQUIRED, the
user can just hit 'Ok' on the password dialogue without typing in a
password and the browser will resend the original information again.
If the password in cache is still valid, it will
reauthenticate without prompting the user again. This can't be
cool. I've found that I have to make sure that the $sent_pw in
my ($res, $sent_pw) = $r->get_basic_auth_pw;
isn't null or 0.
Also, IE doesn't always give a user the password dialog when given an
AUTH_REQUIRED response. If IE sends a username/password because of an
AUTH_REQUIRED response, and gets an AUTH_REQUIRED response in return, it
will resend the information again, this makes it really difficult to deal
with different browsers during the Authentication phase.
Any ideas or comments?
--
J. J. Horner
Apache, Perl, Unix, Linux
jhorner@knoxlug.org http://www.knoxlug.org/
Re: Crazy browser issues
Posted by re...@ch.twi.tudelft.nl.
On Wed, 21 Jun 2000, J. J. Horner wrote:
Hi,
> Okay,
>
> I'm working on a PerlAuthenHandler that returns AUTH_REQUIRED unless a
> file is less than a certain number of seconds old.
>
> I've noticed a problem:
>
> In Netscape (and probably IE), if a handler returns AUTH_REQUIRED, the
> user can just hit 'Ok' on the password dialogue without typing in a
> password and the browser will resend the original information again.
> If the password in cache is still valid, it will
> reauthenticate without prompting the user again. This can't be
> cool. I've found that I have to make sure that the $sent_pw in
>
> my ($res, $sent_pw) = $r->get_basic_auth_pw;
>
> isn't null or 0.
Maybe you should study cache-control (expires etc...) -> guide, this might
cause netscape to "forget" the cached copy, and requires (new) auth...
> Any ideas or comments?
Usefull ?
Bye,
Remco
/----------------------------------------------------------------------\
| Remco Schaar |
| e-mail: Remco@ch.twi.tudelft.nl |
\----------------------------------------------------------------------/
South Park meets Linux:
- "Oh my God, they killed init!"
- "You bastards!"
Re: Crazy browser issues
Posted by Peter Haworth <pm...@edison.ioppublishing.com>.
On 21-Jun-00 at 17:59, J. J. Horner (jhorner@2jnetworks.com) wrote:
> In Netscape (and probably IE), if a handler returns AUTH_REQUIRED, the
> user can just hit 'Ok' on the password dialogue without typing in a
> password and the browser will resend the original information again.
> If the password in cache is still valid, it will
> reauthenticate without prompting the user again. This can't be
> cool. I've found that I have to make sure that the $sent_pw in
>
> my ($res, $sent_pw) = $r->get_basic_auth_pw;
>
> isn't null or 0.
>
> Also, IE doesn't always give a user the password dialog when given an
> AUTH_REQUIRED response. If IE sends a username/password because of an
> AUTH_REQUIRED response, and gets an AUTH_REQUIRED response in return, it
> will resend the information again, this makes it really difficult to deal
> with different browsers during the Authentication phase.
Are you calling $r->note_basic_auth_failure when you return AUTH_REQUIRED?
I see something even stranger on occassion. Sometimes, when I connect to a
pasword-protected area using the unqualified name of the server, the browser
just sends the request *without* asking for a username, repeatedly, until I hit
STOP. This never happens when using the fully qualified server name.
Something else about authen handlers confuses me: does $r->get_basic_auth_pw
call $r->note_basic_auth_failure when it returns AUTH_REQUIRED?
--
Peter Haworth pmh@edison.ioppublishing.com
"Please wait while I fill up a random disk partition to
test whether print returns the correct error code..."
-- Larry Wall in a hypothetical perl test suite