I was going to suggest taking the path and not only the host:port into consideration. I would send the auth info back only for exact same URLs, not everything below a directory where auth. was required.
I believe (not sure) that you could have /secure/dir/index.html and .htaccess in /secure/dir/ could override .htaccess in /secure/ and allow access without authentication. I could be wrong, though. If I'm right then sending authentication info to the exact same path would be better. Otis On Fri, 18 January 2002, Matthew Albright wrote: > > --- "Paul C. Bryan" <[EMAIL PROTECTED]> wrote: > [...] > > Storing the URL, as you suggest is overly restrictive, and would > > potentially require caching every separate URL that has required > > authentication for a particular realm. > > > > Most browsers appear to send credentials for every subsequent > > request to the same host and port. This can be a bit risky > > in my opinion, as the user's credentials could be supplied > > to unrelated services on the same host. > [...] > > How about a middle ground? I was thinking maybe storing the URL of > the place that required authentication, and then preemptively sending > the authorization for every request that is "underneath" that place > in the hierarchy... > > Example: > > We get a 401 for http://www.foo.bar/secure/index.html. Store, along > with the realm, "http://www.foo.bar/secure/";... and then any > subsequent requests that startsWith that URL gets preemptively > authorized. > > YES: http://www.foo.bar/secure/upload.cgi > YES: http://www.foo.bar/secure/dir/index.html > NO: http://www.foo.bar/index.html > NO: https://www.foo.bar/secure/index.html > > One other thing to think about is nested authorization... I don't > know what apache does if you have a .htaccess file in /secure, and > then another one with a different realm in /secure/dir ... does it > require both username/password combos, or just the innermost one? > HttpClient could handle either case, I suspect, with careful coding. > > matt > > > __________________________________________________ > Do You Yahoo!? > Send FREE video emails in Yahoo! Mail! > http://promo.yahoo.com/videomail/ > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> _________________________________________________________________ iVillage.com: Solutions for Your Life Check out the most exciting women's community on the Web http://www.ivillage.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
