>Number: 1433 >Category: general >Synopsis: Double login with partially specified request addresses >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Nov 19 00:30:00 PST 1997 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.4 (also 1.2.1) >Environment: SunOS mardil.elsevier.nl 5.4 Generic_101945-49 sun4m sparc - and other similar systems with monor variations gcc 2.7.2 >Description: Situation: An open document root with an access controlled (basic auth) subdirectory. Client on host in the same domain as the server sends a request with only the host name and directory name with no trailing slash on the directory name (eg: http://mardil/secure).
Apache sends back an authentication request Client resends request with auth info Apache sends Location header with FQDN of server and trailing slash Client sends request (no auth info as the host has changed) Apache sends authentication request >How-To-Repeat: Unfortunately I am on the inside of a firewall. Duplicating should be very easy from the description. >Fix: Avoid sending authentication requests on something that is going to be redirected immediately like this >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
