On 21 Apr 2014, at 12:38, Graham Leggett <[email protected]> wrote: > Hi all, > > Right now, we have the SSLUserName directive, which takes an arbitrary SSL > variable and turns it into a username for the benefit of the request. This > has the downside that only SSL variables (and some CGI variables) are usable > as usernames, and it combines with FakeBasicAuth to create undesirable side > effects. > > What would be cleaner is if we deprecate SSLUserName and create a > mod_auth_user.c module that declares AuthType User, and then offers a > AuthUser directive that sets the user based on an arbitrary expression from > ap_expr.h. This will make client certificates easier to work with, and > provide options for authentication that aren't based purely on logins, such > as tokens in URLs, etc.
What string should httpd return to mean “no user found”? Users are going to want this. I suggest "" (empty string). PS. I'd be tempted to call it AuthType Expr. -- Tim Bannister - [email protected]
