>Number: 4263
>Category: general
>Synopsis: Status: 401 header generated by CGI script no longer works
>(used to work under 1.3.1)
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Fri Apr 16 12:10:01 PDT 1999
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3.3 to 1.3.6
>Environment:
Red Hat Linux 5.2
Win32 (NT 4.0)
>Description:
If a CGI script generates the headers:
Status: 401 Authentication failure\r\n
WWW-Authenticate: Basic realm="My Realm"\r\n
This used to work in Apache 1.3.1 where a browser (Netscape, IE) would prompt
the user for name and password. Since 1.3.3 (not sure about 1.3.2), this is
broken. The same header would cause IE browsers (IE 3, 4, 5) to display the
error message immediately without prompting for user input. Netscape would
still prompt for name/password, but the realm is displayed as "unknown".
Please advice as if there is a workaround for this problem. Otherwise we'll
have to reverse back to 1.3.1 for all of our Apache installations.
Thanks.
>How-To-Repeat:
Here's a CGI script in Perl that would demonstrate the problem. Use IE 3, 4 or
5 as your browser. When executed by Apache 1.3.1 (either Unix version and
Win32), the browser prompts the user for name/password. When using Apache
1.3.3 or later (including 1.3.6), IE3 complains that the "requested header is
not found" in a popup box, without further message. IE4 and 5 displays the
error message from the server without prompting for name/password.
#!/usr/bin/perl
print 'Status: 401 Authentication failure', "\r\n";
print 'WWW-Authenticate: Basic realm="My Realm"', "\r\n";
>Fix:
No.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <[EMAIL PROTECTED]> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]
