You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by André Malo <nd...@perlig.de> on 2004/01/17 23:22:39 UTC

SetEnvIf Remote_User never worked at all

and at the moment I see only one way to fix it reliably: Remove it from the
documentation and the code.

(There's also a report w.r.t. the issue:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25725)

Long version:
It could not work, because the hooks where which mod_setenvif is invoked, are
both called *before* any authentication is done. This is unavoidable, because
one wants to use the variables, e.g. in allow/deny clauses.

However, I've tried to fix it and took the same mechanism like mod_rewrite. I
did an ap_sub_req_lookup_uri to r->uri and copied the rr->user from it.
The point is: Because of the optimization step taken in server/request.c:213,
it does not work in directory context, because -- dir_config was already
merged, but auth not evaluated yet! (remember, we're still in header_parser).
This means, the lookup technique works only in server context (not in
htaccess) or after successful authn/z (too late).

My conclusion is:
(a) parse the header ourself (-1)
(b) drop it entirely (+1)

Any opinions?

nd