httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] scripted authentication
Date Mon, 01 Sep 2003 08:55:55 GMT
>-----Original Message-----
>From: Andrew Brosnan []
>I would like to protect a directory at a point where users have already
>logged in (via a customized process).
>Basic authentication requires users type in username and passwd. I was
>searching for a way to have my scripts pass those credentials directly
>to Apache, thus avoiding the additional login window. Looking through
>the list archives it appears this can't be done. Is that correct?
>If not, can someone offer recommendations on how else to control access
>to directories and files with Apache? A gentle shove in the right
>direction would be appreciated.

I'm not entirely sure I understand your problem... Is it that you have
one directory at, say, http://yoursite/dir1 which is protected by a
login and then you have another directory at http://yoursite/dir2, also
protected, and you want it that once a user has logged in to dir1, they
get into dir2 straight away? 

If so, the problem is that once a user enters a user/pass, the browser
caches it and sends those credentials with every request for a file in
the protected directory  or its subdirectories. If the user requests a
parallel directory (i.e. not a sub-directory), the browser recognises
this as a different "realm" and so pops-up again for a user/pass. 

What you need to do is to persuade the browser to send an Authorization
header with a request for dir1 or dir2. You might try setting the same
string for the realm (AuthName directive) in each protected dir (I'm not
sure if the browser uses the realm to differentiate or if it uses the

Other solutions involve third-party software - CGIs etc. where a typical
recipe would be:

- Form to request user/pass (i.e. not using basic auth)
- server-side processes form and sends a cookie to browser
- browser sends cookie in subsequent requests
- server inspects cookie to decide on authorization (configuration can
be arbitrarily complex)

This also allows you to do things like "expire" a login if there have
been no requests for a certain time.

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

>Thank you.
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>   "   from the digest:
>For additional commands, e-mail:
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
présent e-mail est un message privé et personnel, sans rapport avec
l'activité boursière de la SWX Swiss Exchange.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message