httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <>
Subject Re: [users@httpd] SSI conditionals AFTER apache auth?
Date Tue, 14 Nov 2017 11:42:06 GMT
On Mon, Nov 13, 2017 at 8:28 PM, Adam Vest
<> wrote:
> Evening everyone,
> I'm trying to make it so that only certain elements on a web page are
> visible to users logged in, and are otherwise not displayed using
> mod_include flow control. The only way I've been able to do that so far is
> to detect the cookie that the apache auth sets, which works sort of. Of
> course if I just manually set the cookie in my browser then the stuff shows
> and just confuses the whole setup I put. I know from reading the docs that
> %{REMOTE_USER} isn't exposed to these conditionals due to the order of
> operations. However, it'd be super-cool if it WERE. I know that filter
> processing can be tweaked to a degree with mod_filter, so I'm wondering if I
> can instruct apache to process authentication ahead of mod_include? I
> couldn't find anything directly saying yes or no, so figured I'd see if
> anyone on here knew one way or the other, or see if anyone had any other
> suggestions for accomplishing what I'm looking for.
> Appreciate your help!

That is surprising, an output filter like mod_include should not have
those limitations about variables being accessed "too early" like in
<if> because it is fundamentally evaluated so late.

Are you sure your user checking syntax was right? You can test outside
of SSI with Header set Foo SUCCESS expr="..." as a sanity check.

I was going to suggest using mod_session but I don't think it is any
safer if you access its cookie directly and I don't think there is
mod_session / expression integration.h

Eric Covener

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message