Re: htaccess using AuthCookieDBI not protecting thedirectory index

Re: htaccess using AuthCookieDBI not protecting thedirectory index

am 15.09.2009 00:24:00 von Tosh Cooey

> André Warnier
> André Warnier wrote:
>> Tosh Cooey wrote:
>> ...
>> Hi.
>> Does your login form page contain links to other things (for example,
>> images), which are also located in the /berlin/ area, or in other
>> directories/locations protected by the same authentication ?
>>
>>
> A bit of explanation, as a complement :
> I have not looked at the code of the Auth module you are using, but
> usually, these modules are smart enough to skip authentication (and
> return OK) when the call is made internally from within Apache, as a
> sub-request.
> What these modules cannot do however, is skip authentication for
> multiple calls made from the browser at (about) the same time.
> In other words :
> - suppose your login page itself, contains a link like
> .
> - You ask for a protected page. The server auth module notices that it
> is protected, and that there is no authentication cookie, so it sends
> the login page to the browser. When the browser sees the above link in
> this login page, it immediately issues another request for that image.
> The server now gets another request, and notices that it is for an
> object in a protected area. But it has still not received an
> authentication cookie yet with that request. So it sends back the login
> page...
> Get it ?


Got it!

Unfortunately I'm just using the standard login page that the AUTH
module comes with, view source:





Username:

Password:






I'm not even classy enough to provide her with a proper :)

Anyway, I'm glad I ran this by the list, at least I am reassured that
it's likely in the AUTH module and not some n00b mistake in my
httpd.conf or .htaccess :)

Maybe I'll bug the author of the module now.

Tosh

--
McIntosh Cooey - Twelve Hundred Group LLC - http://www.1200group.com/

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: htaccess using AuthCookieDBI not protecting thedirectory index

am 15.09.2009 01:50:05 von aw

Tosh Cooey wrote:
....
> Maybe I'll bug the author of the module now.
>
I just had a quick look at AuthCookieDBI, which subclasses AuthCookie.
In AuthCookie->authenticate(), there is indeed a check for sub-requests,
returning always OK in that case.
In other words, I don't think that Apache subrequests, per se, are the
cause of the problem.
But maybe it is the fact that you are using this in a .htaccess file.
Try setting
PerlSetVar AuthCookieDebug 3
in your .htaccess file.
Then try again, and look at the server error log.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org