httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <>
Subject Re: [users@httpd] Authentication based on QUERY STRING
Date Wed, 26 Jan 2011 19:30:17 GMT
  On January 26, 2011 13:48 , Rich Bowen <>  wrote:
>>> On Jan 26, 2011, at 10:52 AM, J.Lance Wilkinson wrote:
>>>> I have a developer who's using Apache 1.3.9 (supplied as Oracle HTTP server
within Oracle Application Express) and needs to SUPPRESS his default authentication (mod_cosign
from when the user's QUERY_STRING contains the string ":25:".  Otherwise he
wants to continue to enforce his
>>>> authentication.
> Meanwhile, suppressing authentication based on a query string argument is not easy simply
because it's a remarkably bad idea, as it undermines the very notion of authentication. However,
if you must do this, then you'll probably need to implement your own authentication mechanism.
HTTP auth happens too early in the process for what you're trying to do.
> The only solution that comes to mind is to have a front-end server that looks at the
query string (say, mod_rewrite) and rewrites the request to an un-auth copy of the content
when the query string has the right magic string in it.

If you're ignoring the "remarkably bad idea" part of Rich's response, 
above, here are some more ways to get in trouble:

- mod_cosign allows you to make authentication optional via the 
CosignAllowPublicAccess directive.  If you are serving dynamic content 
(a CGI, etc.), you (or your developer) can then have your dynamic 
content (a CGI, etc.) force authentication if the user is not 
authenticated and the query string does not contain ":25:", but allow 
both authenticated and unauthenticated access otherwise.  For specifics 
on how to implement this, ask on the cosign-discuss mailing list ( ).  
Unfortunately, this solution will not work for static content.

- You (or your developer) can modify mod_cosign to get what you need; 
this is horrible and ugly, but probably easier than implementing your 
own authentication mechanism. You'll probably want to add your 
additional check (return DECLINED if the query string contains ":25:") 
in the cosign source code near filters/apache/mod_cosign.c line 428.  
Lines 209-222 of the same file provide an example of code that checks 
the query string that could be rewritten for your needs.  See;a=blob;f=filters/apache/mod_cosign.c;h=3a279745e70acef52211678e2a6a3acb89392a04;hb=HEAD

> Again, this seems like a really bad idea.

The above bears repeating (if it's not obvious why its a bad idea, let 
us know so we can explain).

WHY does your developer think he needs to bypass authentication based on 
what's in the query string?  Knowing the details of the situation may 
allow us to suggest an alternative solution.  Remind your developer of

   Mark Montague

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message