Hi all, Right now, we have the SSLUserName directive, which takes an arbitrary SSL variable and turns it into a username for the benefit of the request. This has the downside that only SSL variables (and some CGI variables) are usable as usernames, and it combines with FakeBasicAuth to create undesirable side effects.
What would be cleaner is if we deprecate SSLUserName and create a mod_auth_user.c module that declares AuthType User, and then offers a AuthUser directive that sets the user based on an arbitrary expression from ap_expr.h. This will make client certificates easier to work with, and provide options for authentication that aren't based purely on logins, such as tokens in URLs, etc. Thoughts? Regards, Graham --