httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: [users@httpd] A couple of questions about mod_authz_ldap
Date Tue, 12 May 2009 21:53:46 GMT
Edward Harvey wrote:
>> And how would users who have a different set of credentials they could
>> use for this second URL enter those credentials? The RFC specifies a 401
>> response in this scenario to allow a UA to resubmit different
>> credentials.
>> You might not care about the RFC, but Apache and browsers mostly do. The
>> behaviour you want goes against the behaviour described in the RFC, so
>> to get it you would need to have a custom authorization system.
> Well, so I'm acknowledging there's no way to do what I want to do, but
> I'll respond to this anyway.
> Suppose somebody were to launch an FTP client and browse a remote
> site.  If they attempt to access an area where they are denied access,
> they would get "access denied" and then they would know they got
> access denied with the current credentials.  If they have another set
> of credentials, they will know they should reconnect with different
> credentials.
> If they're already authenticated and browsing along a website and try
> to access a restricted item, they don't get "access denied" they get
> "please enter your username/password" which is identical behavior as
> unauthenticated users.  The users that I support generally think to
> themselves, "I thought I already did?"  And they retry and retry until
> they finally conclude that isn't going to work.
> Each browser has a different way of allowing a user to re-authenticate
> with different credentials.  Some have more than one way.
> So I acknowledge the world isn't perfect, you don't always get
> everything you want, but I do want you to acknowledge one thing, if
> you please:
> If a user is already authenticated, and they try to access something
> which is denied, then it is more useful to communicate to the user
> "Your current credentials were denied" and "You may now authenticate
> with different credentials if you wish" instead of giving them the
> "Please enter username/password" prompt which is identical to an
> unauthenticated user.
Without letting this degenerate into a flame.. (or is it a troll ?)
You are probably right.
But what the previous person was telling you, is that it is not a 
problem of Apache, it is a problem of the browser.
The HTTP protocol RFC indicates what the server should do, which is to 
send a 401 response.
There is a reason for that : the HTTP protocol is state-less, which 
means that each request is independent of previous and following ones.
In-between each request, the server forgets everything.

So the server does not know that this is the nth time that this same 
user resubmitted a request with bad credentials, so it has to send the 
same answer each time.
And the answer can only consist of a status code, which is 401.
The server does not control the dialog that the browser pops up.

However, the browser knows (that this is the nth time this same request 
was refused because of wrong credentials), and the browser could pop up 
a different message in its dialog after it gets, say, 2 consecutive 401 
But this is a discussion to have with the people who make the browser, 
which is not what this list is about.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message