IE 401 Basic Auth Cache Buster ...

Tue, 26 Jun 2001 10:13:47 -0700 

Philip Mak wrote:
> 
> How do you implement your own authentication in Apache::ASP, anyway? I
> can't seem to get it to work.
> 
> I did this:
> 
> $Response->{Status} = 401;
> $Response->AddHeader('WWW-Authenticate', 'basic realm="MyRealm"');
> 

I never personally used 401 auth because of IE's caching,
but I think I have some code to finally deal with this...
a new era begins :)  

This method (code below) entirely controls the basic auth process, 
& doesn't let Apache do any of it, including the 401 error message, 
so we can conrol the basic realm completely. It really works for IE!

The code is a very tweaked version of what was in 
dev/*.auth and dev/auth/global.asa in the ASP distribution.
I had to not use $Response->{Status} = 401, because my 
WinNT Apache would crash with this set without other 
Apache Auth directives configured.

--Josh

# .htaccess
<Files ~ (\.auth)>
        SetHandler perl-script
        PerlHandler Apache::ASP
        PerlSetVar Debug  2
        PerlSetVar Global auth
        # session restarts every 6 seconds for testing purposes
        PerlSetVar SessionTimeout .1
        PerlSetVar StateDir /tmp/asp_auth_test
</Files>

# auth/global.asa
use MIME::Base64;
use vars qw(%PASS);
%PASS = ('TEST' => 'TEST');

sub Session_OnStart {
    $Response->AppendToLog("starting session");
    $Session->{AuthID} = substr($Session->SessionID, 0, 8).rand();
}

sub Script_OnStart {
    my $auth = Apache->header_in('Authorization');
    my($user, $pass);
    if ($auth && ($auth =~ /^Basic (.*)$/i)) {
        ($user,$pass) = split(/:/, decode_base64($1), 2);
        $Response->Debug("got user $user, pass $pass for basic auth"); 
    }

    if ($Session->{AuthInit} && $user && ($PASS{$user} eq $pass)) {
        $ENV{REMOTE_USER} = $user;
        $Request->ServerVariables->{REMOTE_USER} = $user;    
    } else {
        $Session->{AuthInit} = 1;
        $Response->Debug("forcing authenticate");
        $Response->AddHeader('WWW-Authenticate', 'basic 
realm="MyRealm-'.$Session->{AuthID}.'"');
        Apache->cgi_header_out('Status', 401);
        $Response->Write("<h2>Failed 401 Authorization</h2>");
        $Response->End;
    }
}

# authen.auth ASP script
<html><body>
Congrats!, you got in!<p>
<% 
my $env = $Request->ServerVariables();
for(sort keys %$env) {
        print "<b>$_</b>: $env->{$_}<br>\n";
}
%>
</body></html>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to