Joshua Slive wrote: > On Fri, 19 Mar 2004, Edward Rudd wrote: > > >>I do have to question the *idea* of hacking an RFC compliant module to >>support non RFC behavior?
agreed it's a borderline issue. but if you take the be-lenient-in-what-you-receive stance it's something that we ought to support - we may represent the largest server share, but since MSIE represents the majority of the clients the majority of users can't use digest auth at all. and of course there's the security argument, but I find myself wondering if ignoring the query string by itself is really that insecure, given the multitude of other hurdles required to pass through the scheme and the fact that the old digest scheme is still supported (which is all browsers like opera support anyway, IIRC) >> >>Another question would be, IF the hack does make it's way in, I suggest >>that it should be wrapped around a big IF, so that a configuration >>directive must be enable to enable the hack. (similar to the >>mod_auth_ldap MSFrontPage hack) > > > The hack would only be in effect if teh AuthDigestEnableQueryStringHack > env variable was set (which could happen, for example, using a > BrowserMatch directive). right. all the above aside, what we're really giving users is an option to be tolerant. and I like the suggested approach, as it allows for more granularity than typical per-directory directives generally provide. it probably needs a better name, though :) --Geoff
