You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andrew Schulman <an...@alumni.utexas.net> on 2010/09/12 06:45:38 UTC
[users@httpd] AuthDigestDomain doesn't work
I have two domains, example1.com and example2.com, both served as virtual hosts
from my one Apache server. Digest authentication is required on both hosts,
using the same realm and htdigest file. Here's the configuration for
example1.com:
<VirtualHost *:80>
ServerName www.example1.com:80
AuthType Digest
AuthName "example realm"
AuthDigestDomain http://www.example1.com http://www.example2.com
AuthUserFile /path/to/htdigest
Require valid-user
</VirtualHost>
The configuration for example2.com is identical. The two sites use the same
AuthUserFile and AuthName.
I have AuthDigestDomain there, because I want to avoid prompting the user twice
for their login credentials when they visit both of these sites. That's what
AuthDigestDomain is explicitly supposed to be for. And yet, in my experience so
far it doesn't work at all. When someone visits example1.com and then goes to
example2.com, they have to enter their same username and password again.
Looking around for an explanation of this, I found very little. The most I
could find was one comment
(http://stackoverflow.com/questions/357939/example-of-using-authtype-digest-to-authenticate-a-user-once-across-sub-domains/1978392#1978392)
claiming that "Most browsers do not respect the Digest "domain" directive and
will not resend credentials for other URIs. As far as I know, Opera is the only
browser that honors it."
Can anyone comment on whether this is true? Is AuthDigestDomain essentially
useless, because most browsers won't honor it?
Thanks,
Andrew.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AuthDigestDomain doesn't work
Posted by Joe Orton <jo...@redhat.com>.
On Sun, Sep 12, 2010 at 12:45:38AM -0400, Andrew Schulman wrote:
...
> Looking around for an explanation of this, I found very little. The most I
> could find was one comment
> (http://stackoverflow.com/questions/357939/example-of-using-authtype-digest-to-authenticate-a-user-once-across-sub-domains/1978392#1978392)
> claiming that "Most browsers do not respect the Digest "domain" directive and
> will not resend credentials for other URIs. As far as I know, Opera is the only
> browser that honors it."
>
> Can anyone comment on whether this is true? Is AuthDigestDomain essentially
> useless, because most browsers won't honor it?
I checked Firefox a while back and this was still true; can't speak for
MSIE but I haven't heard about anybody using this successfully with the
big browsers.
Regards, Joe
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org